Thank you so much for replying, Chris. Responses below.
On 10/5/2020 8:53 AM, Christopher Schultz wrote:
Microservices won't work the way you want with Let's Encrypt. You have
two options:
1. Hit Let's Encrypt every time you launch a new instance of the
microservice to deploy a new certificate
2. Handle the certificate provisioning elsewhere (e.g. ELB)
#1 just won't work. LE won't re-issue a certificate more frequently than
every 6 weeks or something like that. So that really leaves you with #2.
It's good to know about the six-week limit, but you discarded #1 too
quickly. Can't the microservice simply store the credentials in S3 or
one of a hundred other data stores? (Note that I care less about
"microservices" as such at the moment. I just want a turnkey deployment
of a single application for now. But the idea is the same.)
What you really want is for the orchestrator to provide the certificate
and key to the nodes as they come on-line.
Look these "orchestrators" are a configuration nightmare at the moment.
They end up being worse than my just configuring a CentOS machine from
scratch. Plus I have to pay for all those extra services. Read
https://leebriggs.co.uk/blog/2019/04/13/the-fargate-illusion.html and
try not to shudder.
So instead of trying to get LE to work with Tomcat (which does work, but
requires some care and feeding), maybe we should try to get Tomcat to
load its crypto material from other places.
There is already a Java library (https://github.com/shred/acme4j) for
talking to Let's Encrypt. It sounds like it does everything I need. I'll
need to investigate more, but here are my initial doubts:
1. Does acme4j allow me to verify my certificate behind another port?
(e.g. ElasticBeanstalk deploys a JAR behind NGINX port 5000 by
default. I'm still reading RFC 8555 to find out if the ACME server
has to connect back on a certain port for verification.)
2. Once I have the Let's Encrypt certificate, can I convert to PKCS12
for Tomcat completely in the application without shelling out to
openssl or keytool? I'm hoping Bouncy Castle and/or acme4j-util will
allow me to do that.
3. Once I have the PKCS12, how do I feed it to the embedded Tomcat?
Chris, where can I get more information on the latter questions about
getting this certificate to Tomcat once I have it?
One way to do that would be with e.g. Amazon's key storage service. I'm
not familiar with that. I know it can store various types of keys; not
sure about certificates and if we can pull a private key out of it.
I think your idea of storing this stuff elsewhere is a good first
stepping stone to get to where I want to go.
Just to get the ball rolling, I could manually run some Let's Encrypt
client, and then store the certificate in S3. Then the first component I
would write would be steps #2 and #3 above. I am already familiar with
the AWS Java library, so I could quickly figure out how to pull the
certificates off S3. But I need your help in finding out how to convert
them to PKCS12 (or whatever; this is new territory for me) on the fly
and feed them to the embedded Tomcat.
Honestly, your best bet would probably be to use ELB and just pay for
it. You only pay for data-transfer, so a dormant ELB costs you virtually
nothing.
Last month I deployed a test application on Elastic Beanstalk on a
domain nobody knows about just to see how it worked. The ELB cost me $16
in a month with basically nobody using it! That adds up quickly. I have
several little apps I want to toss up. See also my question
https://serverfault.com/q/1036276 .
Instead of spinning-up an EC2 instance for your service, maybe you
should be looking at Lambda instead. You can probably get your costs
down more that way than trying to eliminate the ELB.
I want to drop either a self-contained JAR file or a Docker image
somewhere, and have it immediately start running with SSL support,
without my configuring a VM or running scripts. When I have a new
version, I want to drop a new JAR or Docker image and have it
automatically replace the other one. I don't want to maintain a VM. I
have a target price of let's say $5/month for everything (although $3
would be better). Does AWS Lambda give me that? If so, please point me
to the guides.
Garret