aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: 69d054f9ecb96e47d6d189e2d4fa11faba069d35 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Automatic Certificate Management Environment (ACME)

## Certificate Management

- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation

## Identifier Validation Challenges

- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS

## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)

## Flow

get directory -> urls, first nonce

marshal, sign, post -> nonce, response, next

## Use Flow

Init: param(email)
	Create and register account if there is none

Periodic: (batch)
	Check want files
		if Cert is missing, request it
	Walk through obtained certs and check for expire
		if Expire aproaches, renew cert
	Call hooks (reload webserver, etc.)

Revoke: param(domain.tld)
	handled separate

Restore: param(email)
	handled separate

## misc

If domain contains www.domain.tdl prefix include domain.tdl automaticly.

## flow v2

account key:
	absent -> allocate key, register
	present -> do nothing

certificate key:
	absent ->
		check account key
		allocate key, request certificate
	present ->
		check account key
		certificate:
			absent -> request certificate
			present ->
				check expire -> renew cert

worker:
	register account
	request certificate
	renew certifivicate

## test tunnel
slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com



# Refactor

## Register Account
- account key -> signer

## Authorize Domain
- account key (signer)
- altnames (desire)
- params: webroot or solver listener address

## Certificate
- account key (signer)
- cert key (desire)
- altnames (desire)

# redesign

- provider -> nonce
- account -> signer
- desire -> map[domain]signer

# alternative implementations

- github.com/xenolf/lego
- github.com/ericchiang/letsencrypt
- github.com/hlandau/acme

# Outbound
outbound1.letsencrypt.org
outbound2.letsencrypt.org

### ---

1. no key, no cert
   - generate key, register
   - request new cert
2. key present, no cert
   - request new cert
3. key present, cert present
   - do nothing
4. key present, cert exires/expired
   - request new cert

# Rethink (configless setup)
- pro: emails are stored in cert itself
- contra: cannot use same key for cert and account
- possible solution: separate key info@example.com.key with info@example.com stored in cert

## renew (batch mode)
- param: gracetime (default 1 week), basedir (default /etc/ssl/ or ~/.acme/)
- look for file pairs in {basedir}/private/{filename}.key and {basedir}/certs/{filename}.pem
- if found extract NotAfter, DNSNames, EmailAddress
  - if issuer is LE and if NotAfter reaches GraceTime use key, DNSNames and email to renew certificate
- backup old cert as {filename}.pem.old and save new cert in {basename}/certs/{filename}.pem

## new (manual mode)
- params: basedir, email, domain
- generate key
  - register key and email(s)
- generate csr
  - request cert with altnames (domain) and email(s)
- store {basedir}/private/{altname[0]}.key and {basedir}/certs/{altname[0]}.pem

    iptables -t nat -A PREROUTING -p tcp -s outbound1.letsencrypt.org --dport 443 -j REDIRECT --to-ports 8443
    iptables -t nat -A PREROUTING -p tcp -s outbound2.letsencrypt.org --dport 443 -j REDIRECT --to-ports 8443
    iptables -t nat -A PREROUTING -p tcp -s outbound1.letsencrypt.org --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -A PREROUTING -p tcp -s outbound2.letsencrypt.org --dport 80 -j REDIRECT --to-ports 8080
    iptables -A INPUT -p tcp -m multiport --dports 8080,8443 -j ACCEPT