aboutsummaryrefslogtreecommitdiff
# Automatic Certificate Management Environment (ACME) ## Certificate Management - [ ] Registration - [ ] Account Recovery - [ ] Identifier Authorization - [ ] Certificate Issuance - [ ] Certificate Revocation ## Identifier Validation Challenges - [ ] HTTP - [ ] TLS with Server Name Indication (TLS SNI) - [ ] Proof of Possession of a Prior Key - [ ] DNS ## API Register(email string) -> Registration(Account, PrivKey, Noncer) LoadAccount(email string) -> --""-- Registration.Recover(?) Regsitration.Authorize(domain []string) -> ([]Challange, []Combination) Regsitration.Renew(domain []string) -> ([]Challange, []Combination) ## Flow get directory -> urls, first nonce marshal, sign, post -> nonce, response, next ## Use Flow Init: param(email) Create and register account if there is none Periodic: (batch) Check want files if Cert is missing, request it Walk through obtained certs and check for expire if Expire aproaches, renew cert Call hooks (reload webserver, etc.) Revoke: param(domain.tld) handled separate Restore: param(email) handled separate ## misc If domain contains www.domain.tdl prefix include domain.tdl automaticly. ## flow v2 account key: absent -> allocate key, register present -> do nothing certificate key: absent -> check account key allocate key, request certificate present -> check account key certificate: absent -> request certificate present -> check expire -> renew cert worker: register account request certificate renew certifivicate ## test tunnel slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com # Refactor ## Register Account - account key -> signer ## Authorize Domain - account key (signer) - altnames (desire) - params: webroot or solver listener address ## Certificate - account key (signer) - cert key (desire) - altnames (desire) # redesign - provider -> nonce - account -> signer - desire -> map[domain]signer # alternative implementations - github.com/xenolf/lego - github.com/ericchiang/letsencrypt - github.com/hlandau/acme # Outbound outbound1.letsencrypt.org outbound2.letsencrypt.org ### --- 1. no key, no cert - generate key, register - request new cert 2. key present, no cert - request new cert 3. key present, cert present - do nothing 4. key present, cert exires/expired - request new cert # Rethink (configless setup) - pro: emails are stored in cert itself - contra: cannot use same key for cert and account - possible solution: separate key info@example.com.key with info@example.com stored in cert ## renew (batch mode) - param: gracetime (default 1 week), basedir (default /etc/ssl/ or ~/.acme/) - look for file pairs in {basedir}/private/{filename}.key and {basedir}/certs/{filename}.pem - if found extract NotAfter, DNSNames, EmailAddress - if issuer is LE and if NotAfter reaches GraceTime use key, DNSNames and email to renew certificate - backup old cert as {filename}.pem.old and save new cert in {basename}/certs/{filename}.pem ## new (manual mode) - params: basedir, email, domain - generate key - register key and email(s) - generate csr - request cert with altnames (domain) and email(s) - store {basedir}/private/{altname[0]}.key and {basedir}/certs/{altname[0]}.pem iptables -t nat -A PREROUTING -p tcp -s outbound1.letsencrypt.org --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A PREROUTING -p tcp -s outbound2.letsencrypt.org --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A PREROUTING -p tcp -s outbound1.letsencrypt.org --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp -s outbound2.letsencrypt.org --dport 80 -j REDIRECT --to-ports 8080 iptables -A INPUT -p tcp -m multiport --dports 8080,8443 -j ACCEPT