Re: httpd and letsencrypt

[Greg Stein]

Anything new on this?

On Sep 15, 2016 00:35, "Dale Ghent"  wrote:

>
> Apologies from necro’ing this thread, I’m just catching up.
>
> As a maintainer/user of a lesser-known open source OS (OmniOS, based on
> illumos, which is the carry-on of what you all might remember as
> OpenSolaris after Oracle killed it) I’ve had my own issues around
> attempting to select a suitable letsencrypt client that works on OmniOS and
> maintaining it. I’ve got one working (getssl) and it’s basically a giant
> shell script with modifications to work in our native userland.
>
> The plain matter for people like myself is that most letsencrypt clients
> out there are either Python or Shell script, with the former tending to
> require non-mainstream C modules that don’t play well on anything outside
> of Linux or *BSD, and the latter written with GNU userlands in mind. The
> prospect of having cert management baked in to Apache httpd is tantalizing
> - a perhaps more platform-agnostic approach that replaces the mess of
> scripts and cronjobs that we see today.
>
> Of course it would be an optional module, and anyone turning it on with a
> pre-existing LE setup should do so in an orderly way. Either way,
> facilitating SSL certs in light of HTTP/2 would be something I would be
> happy to see, even if at any other time such a facility would be seen as
> outside the scope of httpd.
>
> /dale
>
> > On Aug 26, 2016, at 5:08 PM, William A Rowe Jr 
> wrote:
> >
> > I think this is great, in concept.
> >
> > My experience with letsencrypt (which was quite good, FWIW) is that
> > the project delivered a contained and trusted environment to sync and
> > deliver new keys and retrieve signed certificates. I'll be interested to
> see
> > what simplification is presented, I don't think we want to get into the
> > business of delivering container-style distributions of httpd.
> >
> >
> >
> > On Fri, Aug 26, 2016 at 9:47 AM, Rich Bowen  wrote:
> > At LinuxCon I spoke with the director of the LetsEncrypt project - whose
> > business card I haven't yet found in unpacking - and he asked whether
> > the httpd project would be interested in LetsEncrypt being "in" httpd.
> > That is, when one installs httpd, letsencrypt would just be a config
> > option. (I have no idea how this would actually work, but that's beside
> > the point really.)
> >
> > Is this something that we'd be interested in, if it were contributed? I
> > note that their software is under the Apache License, so there shouldn't
> > be any difficulty on that front.
> >
> > Naturally, I told him that the next step was to get on this mailing list
> > and talk about implementation details, and he said he'd do that. So that
> > should be coming in the next week, as soon as I find his business card
> > and send him the subscribe info and so on.
> >
> > --
> > Rich Bowen - rbo...@rcbowen.com - @rbowen
> > http://apachecon.com/ - @apachecon
> >
>
>

Re: httpd and letsencrypt

[Leif Hedstrom]

> On Aug 29, 2016, at 5:17 PM, William A Rowe Jr  wrote:
> 
> On Mon, Aug 29, 2016 at 2:52 PM, Jim Jagielski  > wrote:
> Also, and this is personal, I don't tend to "trust" entities
> with non-public membership:
> 
> https://github.com/orgs/letsencrypt/people 
> 
> 
> 
> FWIW, looking through letskencrypt git commits, it seems to consist 
> of only https://github.com/kristapsdz  and the 
> various pull requests they've 
> pulled in. We haven't an an issue with the similarly structured nghttp2.
> 
>  


Also take a look at the efforts around CJOSE:

https://github.com/cisco/cjose 

This is likely what we’ll use for the ATS implementation (which is work in 
progress, but got stalled waiting for cjose :).

— Leif

Re: httpd and letsencrypt

[William A Rowe Jr]

On Mon, Aug 29, 2016 at 2:52 PM, Jim Jagielski  wrote:

> Also, and this is personal, I don't tend to "trust" entities
> with non-public membership:
>
> https://github.com/orgs/letsencrypt/people
>
>
FWIW, looking through letskencrypt git commits, it seems to consist
of only https://github.com/kristapsdz and the various pull requests they've
pulled in. We haven't an an issue with the similarly structured nghttp2.

Re: httpd and letsencrypt

[William A Rowe Jr]

On Aug 29, 2016 14:50, "Jim Jagielski"  wrote:
>
> Key, of course (no pun intended) is a client impl with a suitable
> and acceptable license.
>
> There is https://kristaps.bsd.lv/letskencrypt/, but last I looked
> it required, iirc, LibreSSL as well as it still being somewhat
> instable. I am hoping we can get pointers to alternatives :)

Provided that letskencrypt can be appropriately licensed, it appears that
from the outline, the core (red illustrated) bits could run in the root
context of httpd at startup (at the time that client traffic would not have
polluted that process.) Our model already makes the rest of the piping and
restricted child processes trivial.

License seems to be the simplest BSD form
https://github.com/kristapsdz/letskencrypt/blob/master/LICENSE.md

Getting this compatible with whichever httpd mod_ssl is linked to, LibreSSL
or OpenSSL would surely be trivial, author's bias notwithstanding.

Re: httpd and letsencrypt

[Jim Jagielski]

Also, and this is personal, I don't tend to "trust" entities
with non-public membership:

https://github.com/orgs/letsencrypt/people


> On Aug 29, 2016, at 3:49 PM, Jim Jagielski  wrote:
> 
> Key, of course (no pun intended) is a client impl with a suitable
> and acceptable license.
> 
> There is https://kristaps.bsd.lv/letskencrypt/, but last I looked
> it required, iirc, LibreSSL as well as it still being somewhat
> instable. I am hoping we can get pointers to alternatives :)
> 
>> On Aug 29, 2016, at 11:09 AM, Josh Aas  wrote:
>> 
>> Thanks for the intro Rich.
>> 
>> I think it's important that we make HTTPS as easy as possible with
>> Apache httpd. I don't have a particular architecture in mind, my not
>> being an Apache dev, but I do have a user experience in mind -- the
>> simplest config option possible, without having to fetch/install
>> additional packages. When that option is set, httpd should turn on
>> HTTPS and get and manage certs as necessary without the user needing
>> to know much of anything about it. There can, of course, be other
>> options for more advanced users.
>> 
>> Doing this will obviously require an ACME client. I'm curious to hear
>> what httpd devs think is the best architecture for including the
>> client, storing the necessary data (cert chain, ACME account info),
>> and configuring the feature.
>> 
>> If we can come up with a plan that results in making HTTPS with httpd
>> easy, one that the httpd devs are happy with, I can help to make
>> funding available for the work.
>> 
>> I'd also appreciate any recommendations for people to do the work.
>> 
>> I'll end this email with a link to a great example of seamless
>> integration in the caddy web server:
>> 
>> https://www.youtube.com/watch?v=nk4EWHvvZtI
>> 
>> Thanks,
>> 
>> -- 
>> Josh Aas
>> Executive Director
>> Internet Security Research Group
>> Let's Encrypt: A Free, Automated, and Open CA
> 

Re: httpd and letsencrypt

[Jim Jagielski]

Key, of course (no pun intended) is a client impl with a suitable
and acceptable license.

There is https://kristaps.bsd.lv/letskencrypt/, but last I looked
it required, iirc, LibreSSL as well as it still being somewhat
instable. I am hoping we can get pointers to alternatives :)

> On Aug 29, 2016, at 11:09 AM, Josh Aas  wrote:
> 
> Thanks for the intro Rich.
> 
> I think it's important that we make HTTPS as easy as possible with
> Apache httpd. I don't have a particular architecture in mind, my not
> being an Apache dev, but I do have a user experience in mind -- the
> simplest config option possible, without having to fetch/install
> additional packages. When that option is set, httpd should turn on
> HTTPS and get and manage certs as necessary without the user needing
> to know much of anything about it. There can, of course, be other
> options for more advanced users.
> 
> Doing this will obviously require an ACME client. I'm curious to hear
> what httpd devs think is the best architecture for including the
> client, storing the necessary data (cert chain, ACME account info),
> and configuring the feature.
> 
> If we can come up with a plan that results in making HTTPS with httpd
> easy, one that the httpd devs are happy with, I can help to make
> funding available for the work.
> 
> I'd also appreciate any recommendations for people to do the work.
> 
> I'll end this email with a link to a great example of seamless
> integration in the caddy web server:
> 
> https://www.youtube.com/watch?v=nk4EWHvvZtI
> 
> Thanks,
> 
> -- 
> Josh Aas
> Executive Director
> Internet Security Research Group
> Let's Encrypt: A Free, Automated, and Open CA

Re: httpd and letsencrypt

[William A Rowe Jr]

Hi Rich, some thoughts inline...

On Aug 29, 2016 10:09, "Josh Aas"  wrote:
>
> Thanks for the intro Rich.
>
> I think it's important that we make HTTPS as easy as possible with
> Apache httpd. I don't have a particular architecture in mind, my not
> being an Apache dev, but I do have a user experience in mind -- the
> simplest config option possible, without having to fetch/install
> additional packages. When that option is set, httpd should turn on
> HTTPS and get and manage certs as necessary without the user needing
> to know much of anything about it. There can, of course, be other
> options for more advanced users.

Be aware that httpd users must provision OpenSSL and other dependencies, or
obtain a distribution which includes these. So these come "for free" in
terms of additional burdens on this effort.

SSLEngine on currently toggles SSL in a given host context. Adding an
'auto' or 'letsencrypt' toggle value would be trivial.

> Doing this will obviously require an ACME client. I'm curious to hear
> what httpd devs think is the best architecture for including the
> client, storing the necessary data (cert chain, ACME account info),
> and configuring the feature.

This should be straightforward. We generally use default data store in the
typical var path and our autoconf and run time directives allow users to
override such defaults. Adding an ACME dependency isn't a hardship on
folks, any more than the other 8 or so dependencies.

> If we can come up with a plan that results in making HTTPS with httpd
> easy, one that the httpd devs are happy with, I can help to make
> funding available for the work.
>
> I'd also appreciate any recommendations for people to do the work.

There are a number of dual project members between OpenSSL and httpd who
take contract work through the openssl org. The ASF won't intermediate
development contracts at the project level (only for our own infrastructure
which obviously relies on commerical certs.)

> I'll end this email with a link to a great example of seamless
> integration in the caddy web server:
>
> https://www.youtube.com/watch?v=nk4EWHvvZtI
>
> Thanks,
>
> --
> Josh Aas
> Executive Director
> Internet Security Research Group
> Let's Encrypt: A Free, Automated, and Open CA

And thank you for raising this proposal!

Re: httpd and letsencrypt

[Josh Aas]

Thanks for the intro Rich.

I think it's important that we make HTTPS as easy as possible with
Apache httpd. I don't have a particular architecture in mind, my not
being an Apache dev, but I do have a user experience in mind -- the
simplest config option possible, without having to fetch/install
additional packages. When that option is set, httpd should turn on
HTTPS and get and manage certs as necessary without the user needing
to know much of anything about it. There can, of course, be other
options for more advanced users.

Doing this will obviously require an ACME client. I'm curious to hear
what httpd devs think is the best architecture for including the
client, storing the necessary data (cert chain, ACME account info),
and configuring the feature.

If we can come up with a plan that results in making HTTPS with httpd
easy, one that the httpd devs are happy with, I can help to make
funding available for the work.

I'd also appreciate any recommendations for people to do the work.

I'll end this email with a link to a great example of seamless
integration in the caddy web server:

https://www.youtube.com/watch?v=nk4EWHvvZtI

Thanks,

-- 
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA

Re: httpd and letsencrypt

[Stefan Sperling]

On Fri, Aug 26, 2016 at 09:44:37AM -0700, Jacob Champion wrote:
> On 08/26/2016 07:47 AM, Rich Bowen wrote:
> >At LinuxCon I spoke with the director of the LetsEncrypt project - whose
> >business card I haven't yet found in unpacking - and he asked whether
> >the httpd project would be interested in LetsEncrypt being "in" httpd.
> >That is, when one installs httpd, letsencrypt would just be a config
> >option. (I have no idea how this would actually work, but that's beside
> >the point really.)
> >
> >Is this something that we'd be interested in, if it were contributed? I
> >note that their software is under the Apache License, so there shouldn't
> >be any difficulty on that front.
> 
> I assume you mean that they would donate a Let's Encrypt *client* for us to
> ship? I think that would be neat.

In case people are looking for a client implementation in C with a
suitable licence, see https://kristaps.bsd.lv/letskencrypt/
Perhaps this code base can serve as a baseline or inspiration.

Re: httpd and letsencrypt

[Stefan Eissing]

+1

> Am 26.08.2016 um 18:44 schrieb Jacob Champion :
> 
> On 08/26/2016 07:47 AM, Rich Bowen wrote:
>> At LinuxCon I spoke with the director of the LetsEncrypt project - whose
>> business card I haven't yet found in unpacking - and he asked whether
>> the httpd project would be interested in LetsEncrypt being "in" httpd.
>> That is, when one installs httpd, letsencrypt would just be a config
>> option. (I have no idea how this would actually work, but that's beside
>> the point really.)
>> 
>> Is this something that we'd be interested in, if it were contributed? I
>> note that their software is under the Apache License, so there shouldn't
>> be any difficulty on that front.
> 
> I assume you mean that they would donate a Let's Encrypt *client* for us to 
> ship? I think that would be neat.
> 
> --Jacob

Re: httpd and letsencrypt

[William A Rowe Jr]

I think this is great, in concept.

My experience with letsencrypt (which was quite good, FWIW) is that
the project delivered a contained and trusted environment to sync and
deliver new keys and retrieve signed certificates. I'll be interested to see
what simplification is presented, I don't think we want to get into the
business of delivering container-style distributions of httpd.



On Fri, Aug 26, 2016 at 9:47 AM, Rich Bowen  wrote:

> At LinuxCon I spoke with the director of the LetsEncrypt project - whose
> business card I haven't yet found in unpacking - and he asked whether
> the httpd project would be interested in LetsEncrypt being "in" httpd.
> That is, when one installs httpd, letsencrypt would just be a config
> option. (I have no idea how this would actually work, but that's beside
> the point really.)
>
> Is this something that we'd be interested in, if it were contributed? I
> note that their software is under the Apache License, so there shouldn't
> be any difficulty on that front.
>
> Naturally, I told him that the next step was to get on this mailing list
> and talk about implementation details, and he said he'd do that. So that
> should be coming in the next week, as soon as I find his business card
> and send him the subscribe info and so on.
>
> --
> Rich Bowen - rbo...@rcbowen.com - @rbowen
> http://apachecon.com/ - @apachecon
>

Re: httpd and letsencrypt

[Jacob Perkins]

That’s an interesting idea. Having a native client for Lets Encrypt would be 
super useful. However, I will say my first thought was a worry that it might be 
disruptive, and causes users of httpd to change any current implementations of 
integrations with Lets Encrypt downstream.

/me stays tuned
—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perk...@cpanel.net 
Office:  713-529-0800 x 4046
Cell:  713-560-8655

Get WEIRED | cPanel Conference 2016
http://go.cpanel.net/WEIRED 
> On Aug 26, 2016, at 11:44 AM, Jacob Champion  wrote:
> 
> On 08/26/2016 07:47 AM, Rich Bowen wrote:
>> At LinuxCon I spoke with the director of the LetsEncrypt project - whose
>> business card I haven't yet found in unpacking - and he asked whether
>> the httpd project would be interested in LetsEncrypt being "in" httpd.
>> That is, when one installs httpd, letsencrypt would just be a config
>> option. (I have no idea how this would actually work, but that's beside
>> the point really.)
>> 
>> Is this something that we'd be interested in, if it were contributed? I
>> note that their software is under the Apache License, so there shouldn't
>> be any difficulty on that front.
> 
> I assume you mean that they would donate a Let's Encrypt *client* for us to 
> ship? I think that would be neat.
> 
> --Jacob



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: httpd and letsencrypt

[Jim Jagielski]

+1

I am guessing someone from:

  https://letsencrypt.org/about/
or
  https://letsencrypt.org/isrg/

most likely Josh Aas?

> On Aug 26, 2016, at 12:44 PM, Jacob Champion  wrote:
> 
> On 08/26/2016 07:47 AM, Rich Bowen wrote:
>> At LinuxCon I spoke with the director of the LetsEncrypt project - whose
>> business card I haven't yet found in unpacking - and he asked whether
>> the httpd project would be interested in LetsEncrypt being "in" httpd.
>> That is, when one installs httpd, letsencrypt would just be a config
>> option. (I have no idea how this would actually work, but that's beside
>> the point really.)
>> 
>> Is this something that we'd be interested in, if it were contributed? I
>> note that their software is under the Apache License, so there shouldn't
>> be any difficulty on that front.
> 
> I assume you mean that they would donate a Let's Encrypt *client* for us to 
> ship? I think that would be neat.
> 
> --Jacob

Re: httpd and letsencrypt

[Jacob Champion]

On 08/26/2016 07:47 AM, Rich Bowen wrote:

At LinuxCon I spoke with the director of the LetsEncrypt project - whose
business card I haven't yet found in unpacking - and he asked whether
the httpd project would be interested in LetsEncrypt being "in" httpd.
That is, when one installs httpd, letsencrypt would just be a config
option. (I have no idea how this would actually work, but that's beside
the point really.)

Is this something that we'd be interested in, if it were contributed? I
note that their software is under the Apache License, so there shouldn't
be any difficulty on that front.


I assume you mean that they would donate a Let's Encrypt *client* for us 
to ship? I think that would be neat.


--Jacob