Re: httpd and letsencrypt

[Dale Ghent <da...@elemental.org>]

Apologies from necro’ing this thread, I’m just catching up.

As a maintainer/user of a lesser-known open source OS (OmniOS, based on illumos, which is the carry-on of what you all might remember as OpenSolaris after Oracle killed it) I’ve had my own issues around attempting to select a suitable letsencrypt client that works on OmniOS and maintaining it. I’ve got one working (getssl) and it’s basically a giant shell script with modifications to work in our native userland.

The plain matter for people like myself is that most letsencrypt clients out there are either Python or Shell script, with the former tending to require non-mainstream C modules that don’t play well on anything outside of Linux or *BSD, and the latter written with GNU userlands in mind. The prospect of having cert management baked in to Apache httpd is tantalizing - a perhaps more platform-agnostic approach that replaces the mess of scripts and cronjobs that we see today.

Of course it would be an optional module, and anyone turning it on with a pre-existing LE setup should do so in an orderly way. Either way, facilitating SSL certs in light of HTTP/2 would be something I would be happy to see, even if at any other time such a facility would be seen as outside the scope of httpd.

/dale

> On Aug 26, 2016, at 5:08 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> I think this is great, in concept.
> 
> My experience with letsencrypt (which was quite good, FWIW) is that
> the project delivered a contained and trusted environment to sync and
> deliver new keys and retrieve signed certificates. I'll be interested to see
> what simplification is presented, I don't think we want to get into the
> business of delivering container-style distributions of httpd.
> 
> 
> 
> On Fri, Aug 26, 2016 at 9:47 AM, Rich Bowen <rb...@rcbowen.com> wrote:
> At LinuxCon I spoke with the director of the LetsEncrypt project - whose
> business card I haven't yet found in unpacking - and he asked whether
> the httpd project would be interested in LetsEncrypt being "in" httpd.
> That is, when one installs httpd, letsencrypt would just be a config
> option. (I have no idea how this would actually work, but that's beside
> the point really.)
> 
> Is this something that we'd be interested in, if it were contributed? I
> note that their software is under the Apache License, so there shouldn't
> be any difficulty on that front.
> 
> Naturally, I told him that the next step was to get on this mailing list
> and talk about implementation details, and he said he'd do that. So that
> should be coming in the next week, as soon as I find his business card
> and send him the subscribe info and so on.
> 
> --
> Rich Bowen - rbowen@rcbowen.com - @rbowen
> http://apachecon.com/ - @apachecon
> 

Re: httpd and letsencrypt

[Greg Stein <gs...@gmail.com>]

Anything new on this?

On Sep 15, 2016 00:35, "Dale Ghent" <da...@elemental.org> wrote:

>
> Apologies from necro’ing this thread, I’m just catching up.
>
> As a maintainer/user of a lesser-known open source OS (OmniOS, based on
> illumos, which is the carry-on of what you all might remember as
> OpenSolaris after Oracle killed it) I’ve had my own issues around
> attempting to select a suitable letsencrypt client that works on OmniOS and
> maintaining it. I’ve got one working (getssl) and it’s basically a giant
> shell script with modifications to work in our native userland.
>
> The plain matter for people like myself is that most letsencrypt clients
> out there are either Python or Shell script, with the former tending to
> require non-mainstream C modules that don’t play well on anything outside
> of Linux or *BSD, and the latter written with GNU userlands in mind. The
> prospect of having cert management baked in to Apache httpd is tantalizing
> - a perhaps more platform-agnostic approach that replaces the mess of
> scripts and cronjobs that we see today.
>
> Of course it would be an optional module, and anyone turning it on with a
> pre-existing LE setup should do so in an orderly way. Either way,
> facilitating SSL certs in light of HTTP/2 would be something I would be
> happy to see, even if at any other time such a facility would be seen as
> outside the scope of httpd.
>
> /dale
>
> > On Aug 26, 2016, at 5:08 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > I think this is great, in concept.
> >
> > My experience with letsencrypt (which was quite good, FWIW) is that
> > the project delivered a contained and trusted environment to sync and
> > deliver new keys and retrieve signed certificates. I'll be interested to
> see
> > what simplification is presented, I don't think we want to get into the
> > business of delivering container-style distributions of httpd.
> >
> >
> >
> > On Fri, Aug 26, 2016 at 9:47 AM, Rich Bowen <rb...@rcbowen.com> wrote:
> > At LinuxCon I spoke with the director of the LetsEncrypt project - whose
> > business card I haven't yet found in unpacking - and he asked whether
> > the httpd project would be interested in LetsEncrypt being "in" httpd.
> > That is, when one installs httpd, letsencrypt would just be a config
> > option. (I have no idea how this would actually work, but that's beside
> > the point really.)
> >
> > Is this something that we'd be interested in, if it were contributed? I
> > note that their software is under the Apache License, so there shouldn't
> > be any difficulty on that front.
> >
> > Naturally, I told him that the next step was to get on this mailing list
> > and talk about implementation details, and he said he'd do that. So that
> > should be coming in the next week, as soon as I find his business card
> > and send him the subscribe info and so on.
> >
> > --
> > Rich Bowen - rbowen@rcbowen.com - @rbowen
> > http://apachecon.com/ - @apachecon
> >
>
>