Comments (9)
axos88
commented on September 10, 2024
@kuba @coderanger @mvdkleijn @jdkasten @kelunik @My1 You guys seem to be invested in this.
Related:
from acme-spec.
kelunik
commented on September 10, 2024
@axos88 You can redirect /.well-known/acme-challenge/* to another (virtual) host at any time. The validation authority will follow any redirects. You could also use includes to define a common web root just for /.well-known/acme-challenge, that's what I usually do.
from acme-spec.
axos88
commented on September 10, 2024
As stated, this is not that easy to do when the server configuration is generated by different software components (chef cookbooks) that one does not have control over. Unfortunately there are no global aliases / redirects in nginx, only per server.
This would also mean that in order to use letsencrypt, one has to MODIFY the current configuration, rather than ADD a new virtualhost declaration. Modifying something generated by some other actor is always a bad idea (this is one of the reasons conf.d directories exist btw).
from acme-spec.
axos88
commented on September 10, 2024
For example: I have an automated installer for an web application, running over let's say ruby on rails. The application is obviously unaware, and should NEVER be aware how it's exposed to the internet. Thus it is unaware of how its SSL certificate is obtained and installed (normally it wouldn't even run on https, but would rely on a forward proxy to terminate the ssl connection, and forward it using http, but that's another matter).
Now my automated installer installs this software, and also installs and configures nginx for forward proxying. It will configure the nginx vhost, and other things that are needed. I don't know that LE exists, my installer just asks for the path to a certificate and a key.
Now I sell my software to a third party, who uses my installer (chef cookbook) to install my software on THEIR infrastructure. THEY are smarter then me, and know that LE exists, and want to use it to create the certs.
Current options:
- They start hacking around the nginx configuration generated by my installer and add the alias - not good, the next update will overwrite their changes, and they won't be able to renew
- They stop nginx every time they need to upgrade the certs for the duration of the verification - unacceptable
- They use dns challenge if they can - usually it cannot be automated, or is a great effort to add dns records automatically.
- They use the tls challenge (although it doesn't supprot nginx yet), and they modify its configuration during every verification, reloading its configuration, etc. Can easily create problems if someone is maintaining the server at the same time, etc.
OR: They also create a virtualhost accepting connections for *.acme.invalid once during installation, redirect it to a webroot, and have the verification client drop files into that webroot. Configure it once, and it works. Unnecessary to modify configuration files generated by other installers, unnecessary to keep reloading the nginx configuration all the time, less possibility for failure.
from acme-spec.
axos88
commented on September 10, 2024
And let's face it, validation requests to a vhost have NOTHING to do with the software who serves the content on that server. They are intended for a totally different actor (certbot), thus they should be routed to a different vhost, not be mingled into all the other ones as locations and aliases, and such.
from acme-spec.
kelunik
commented on September 10, 2024
unnecessary to keep reloading the nginx configuration all the time
You have to do that anyway for Nginx to use the new certificate instead of the old one.
Anyway, this is something that should be in the official repository instead and on the ACME mailing list.
from acme-spec.
axos88
commented on September 10, 2024
unnecessary to keep reloading the nginx configuration all the time
You have to do that anyway for Nginx to use the new certificate instead of the old one.
True true, but at least you are not modifying configuration.
from acme-spec.
mvdkleijn
commented on September 10, 2024
hmmm.. its not a huge issue for me (anymore). I've simply decided that all visitors to my sites are redirected to 443, except for the challenge which is still available on 80. A script then refreshes the certs once every 90 days automatically via port 80 and does a graceful restart of Apache.
from acme-spec.
cpu
commented on September 10, 2024
This repository is deprecated & un-maintained. Closing this issue. If applicable, please move discussion to the replacement IETF owned repo and the mailing list.
from acme-spec.
Related Issues (20)
- 7.4 DNS Challenge *pre*pends label HOT 5
- 9.1 update outbound cxn methods HOT 1
- Differing description of {DVSNI, DNS} validation mechanism in 7.2, 9.2 HOT 1
- Add RECOMMENDED line to stronger DNS validation HOT 1
- Dns challenge signature is too long for dns TXT record HOT 6
- Specify type of "true" / "false" value for "tls" field. HOT 3
- .well-known ACME challenge files blocked 403 Forbidden in some Nginx configurations HOT 8
- method needed for forwarding *.acme.invalid to correct server HOT 3
- Register .well-known/acme-challenge with IANA HOT 2
- Describe 'validationRecord' (part of a challenge-resource) HOT 1
- Usage of RFC3339 - "5.3 Rarely Used Options" HOT 3
- Clarification on which spec to use HOT 2
- ASN1_mbstring_ncopy string too long with multiple alt-names HOT 3
- Domain validation and usage of userkey pair discussion HOT 1
- Travis integration may expose integration keys HOT 6
- http-01 and dns-01 challenges: just use account key HOT 1
- dns-01 walk-up HOT 1
- Letsencrypt behind a firewall with NAT HOT 4
- --agree-tos in ACME clients: acceptable or not? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-spec.