Projects tigase _server server-core Issues #817
Automatic provisioning installation with Let's Encrypt certificates (#817)
Open
wojciech.kapcia@tigase.net opened 7 years ago

It would be quite handy if Tigase would be able to automatically provision Let's encrypt certificate when needed (and renew them)


https://github.com/shred/acme4j

wojciech.kapcia@tigase.net commented 6 years ago

Ah, tylko weryfikacja idzie po porcie 80 i nie jestem pewien czy da się to zmienić.

Dnia 8 marca 2019 20:49:23 CET, "Bartosz Małkowski" bartosz.malkowski@tigase.net napisał(a):

Robiłem odnawianie certyfikatów letsencrypt dla […]. To mogę załatwić.

wojciech.kapcia@tigase.net commented 6 years ago

We should consider how it should be handled and possible use cases / what triggers it:

  • Let's Encrypt doesn't provide wildcard certificates (AFAIR) so we should handle both main domain and all components' domains
  • What in the case of having certificate from "big CA" (non-wildcard) and still wanting to have certificate for component-domains (mostly s2s connection)?

In terms of actual functionality:

  • using http-01 challenge we could expose the challenge using http-api - this should work more-or-less out of the box (https://tigase.im is already served via Tigase)
  • we should handle cluster! (EventBus to notify all nodes about new challenge?)
  • I was pondering domains that points A record to different server - wouldn't it be possible for them to proxy /.well-known/ location to our instance?
    • unless they use Let's Encrypt on their instance - in that case they could simply use hook in certbot to update cert in Tigase via http-api (we most likely would need to add "how to" to documentation.

Comments? %kobit %andrzej.wojcik %bmalkow ?

Andrzej Wójcik (Tigase) commented 6 years ago

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I remember that there was an idea to allow SSL certificates for XMPP for domain tigase.im to be valid for domain example.com. It was done by DNSSEC and DANE if I'm correct, but I do not remember what was the outcome of this idea, see https://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype-04

wojciech.kapcia@tigase.net commented 6 years ago

Wojciech Kapcia wrote:

  • Let's Encrypt doesn't provide wildcard certificates (AFAIR) so we should handle both main domain and all components' domains

Actually it does. So basically either someone uploads own certificate (and worry about subdomains) or use (automatic) let's encrypt for everything…

Andrzej Wójcik wrote:

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I know - I said as much. But in that case certbot has a hook so we could also include short guide how to make it work with tigase: "create hook with URL pointing to xmpp server and concatenated certificates and chain".

I remember that there was an idea to allow SSL certificates for XMPP for domain tigase.im to be valid for domain example.com. It was done by DNSSEC and DANE if I'm correct, but I do not remember what was the outcome of this idea, see https://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype-04

It looks kinda... stale...

This: https://github.com/letsencrypt/boulder/issues/1309 seems like it would be kinda nice, but it's a no-go from CA perspective...

wojciech.kapcia@tigase.net commented 5 years ago

Wojciech Kapcia wrote:

Andrzej Wójcik wrote:

%wojtek Yes, it is possible to redirect /.well-known/ to another server by proxying requests and forwarding them to us. I'm already doing that on my installation, but it is not possible if they are using LetsEncrypt to secure their site as well.

I know - I said as much. But in that case certbot has a hook so we could also include short guide how to make it work with tigase: "create hook with URL pointing to xmpp server and concatenated certificates and chain".

FYI: I just added this part while working on #8875 #tigaseim-80. Now I'm pondering whether we should add dedicated Let's Encrypt solution within Tigase (considering constraints: HTTP having to point to our installation and having to generate certificates for all components) - @bmalkow @kobit @andrzej.wojcik ?

Artur Hefczyc commented 5 years ago

How much work does it need?

I am asking because, I honestly doubt that many users will use this solution. It is still kind of complicated to setup for average user. However, I understand that it would be very useful for us anyway. So, if it is not much work I would be in favor of implementing it, even if we are pretty much the only users.

wojciech.kapcia@tigase.net changed fields 5 months ago
Name Previous Value Current Value
Version
tigase-server-8.4.0
tigase-server-9.0.0
wojciech.kapcia@tigase.net added to iteration "tigase-server-9.0.0" 5 months ago
wojciech.kapcia@tigase.net added "Related" tigase-private/systems-maintenance/servers#433 2 months ago
wojciech.kapcia@tigase.net added "Related" tigase/_server/tigase-utils#29 2 months ago
issue 1 of 1
Type
New Feature
Priority
Blocker
Assignee
RedmineID
5431
Version
tigase-server-9.0.0
Estimation
40h
Iterations
Issue Votes (0)
Watchers (2)
Reference
tigase/_server/server-core#817
Please wait...
Page is in error, reload to recover