Ah, tylko weryfikacja idzie po porcie 80 i nie jestem pewien czy da się to zmienić.

Dnia 8 marca 2019 20:49:23 CET, "Bartosz Małkowski" bartosz.malkowski@tigase.net napisał(a):

Robiłem odnawianie certyfikatów letsencrypt dla […]. To mogę załatwić.

We should consider how it should be handled and possible use cases / what triggers it:

• Let's Encrypt doesn't provide wildcard certificates (AFAIR) so we should handle both main domain and all components' domains
• What in the case of having certificate from "big CA" (non-wildcard) and still wanting to have certificate for component-domains (mostly s2s connection)?

In terms of actual functionality:

• using http-01 challenge we could expose the challenge using http-api - this should work more-or-less out of the box (https://tigase.im is already served via Tigase)
• we should handle cluster! (EventBus to notify all nodes about new challenge?)
• I was pondering domains that points A record to different server - wouldn't it be possible for them to proxy /.well-known/ location to our instance?
  • unless they use Let's Encrypt on their instance - in that case they could simply use hook in certbot to update cert in Tigase via http-api (we most likely would need to add "how to" to documentation.

Comments? %kobit %andrzej.wojcik %bmalkow ?

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I remember that there was an idea to allow SSL certificates for XMPP for domain tigase.im to be valid for domain example.com. It was done by DNSSEC and DANE if I'm correct, but I do not remember what was the outcome of this idea, see https://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype-04

Wojciech Kapcia wrote:

• Let's Encrypt doesn't provide wildcard certificates (AFAIR) so we should handle both main domain and all components' domains

Actually it does. So basically either someone uploads own certificate (and worry about subdomains) or use (automatic) let's encrypt for everything…

Andrzej Wójcik wrote:

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I know - I said as much. But in that case certbot has a hook so we could also include short guide how to make it work with tigase: "create hook with URL pointing to xmpp server and concatenated certificates and chain".

I remember that there was an idea to allow SSL certificates for XMPP for domain tigase.im to be valid for domain example.com. It was done by DNSSEC and DANE if I'm correct, but I do not remember what was the outcome of this idea, see https://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype-04

It looks kinda... stale...

This: https://github.com/letsencrypt/boulder/issues/1309 seems like it would be kinda nice, but it's a no-go from CA perspective...

Wojciech Kapcia wrote:

Andrzej Wójcik wrote:

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I know - I said as much. But in that case certbot has a hook so we could also include short guide how to make it work with tigase: "create hook with URL pointing to xmpp server and concatenated certificates and chain".

FYI: I just added this part while working on #8875 #tigaseim-80. Now I'm pondering whether we should add dedicated Let's Encrypt solution within Tigase (considering constraints: HTTP having to point to our installation and having to generate certificates for all components) - @bmalkow @kobit @andrzej.wojcik ?

How much work does it need?

I am asking because, I honestly doubt that many users will use this solution. It is still kind of complicated to setup for average user. However, I understand that it would be very useful for us anyway. So, if it is not much work I would be in favor of implementing it, even if we are pretty much the only users.