You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Jered Floyd <je...@convivian.com> on 2016/12/05 20:05:16 UTC
ATS and Let's Encrypt automation
Is anyone currently using ATS with Let's Encrypt as a certificate provider?
My current plan is to do something like:
1) Run Apache Server locally on a non-standard port (e.g. 8000)
2) Add a rule mapping all access to /.well-known/acme-challenge/ to the local server:
regex_map http://*/.well-known/acme-challenge/ http://proxy-host.domain.com:8000/
3) Use certbot's "webroot" authenticator plugin to satisfy http-01 challenge types
4) Use certbot renew --post-hook to refresh ATS after certificate renewal
This is relatively simple, but running another server locally feels inelegant. I don't believe ATS can be configured to serve local file system content, though. Any alternative suggestions I should explore?
--Jered
Re: ATS and Let's Encrypt automation
Posted by Jered Floyd <je...@convivian.com>.
Oh, I didn't realize this plugin existed!
For anyone following along, BTW, running Apache Server (binding 127.0.0.1:8000 only) and then this remap directive (at the very top of my remap.config) worked perfectly:
regex_map http://(.*)/.well-known/acme-challenge/ http://127.0.0.1:8000/
--Jered
----- On Dec 5, 2016, at 3:22 PM, Leif Hedstrom <zw...@apache.org> wrote:
> This is what the acme plugin does. It doesn't do the JOSE portions thought, but
> that should be added to this plugin.
> -- Leif
> On Dec 5, 2016, at 1:15 PM, Alan Carroll < solidwallofcode@yahoo-inc.com >
> wrote:
>> It depends on how much coding you're willing to do. You could write a plugin to
>> do an intercept on a specific URL and have it serve local file content. That
>> doesn't scale but if you've only got a few files, it should work well.
Re: ATS and Let's Encrypt automation
Posted by Leif Hedstrom <zw...@apache.org>.
This is what the acme plugin does. It doesn't do the JOSE portions thought, but that should be added to this plugin.
-- Leif
> On Dec 5, 2016, at 1:15 PM, Alan Carroll <so...@yahoo-inc.com> wrote:
>
> It depends on how much coding you're willing to do. You could write a plugin to do an intercept on a specific URL and have it serve local file content. That doesn't scale but if you've only got a few files, it should work well.
Re: ATS and Let's Encrypt automation
Posted by Alan Carroll <so...@yahoo-inc.com>.
It depends on how much coding you're willing to do. You could write a plugin to do an intercept on a specific URL and have it serve local file content. That doesn't scale but if you've only got a few files, it should work well.
Re: ATS and Let's Encrypt automation
Posted by Josh North <jo...@point808.com>.
I use the standalone server that comes with certbot along with a cron script to shut down ATS, run certbot, then restart ATS. Also not elegant but I could not get a redirect to work for this.
On Dec 5, 2016, Jered Floyd <je...@convivian.com> wrote:
>
>Is anyone currently using ATS with Let's Encrypt as a certificate
>provider?
>
>My current plan is to do something like:
>1) Run Apache Server locally on a non-standard port (e.g. 8000)
>
>2) Add a rule mapping all access to /.well-known/acme-challenge/ to the
>local server:
>regex_map http://*/.well-known/acme-challenge/
>http://proxy-host.domain.com:8000/
>
>3) Use certbot's "webroot" authenticator plugin to satisfy http-01
>challenge types
>
>4) Use certbot renew --post-hook to refresh ATS after certificate
>renewal
>
>
>This is relatively simple, but running another server locally feels
>inelegant. I don't believe ATS can be configured to serve local file
>system content, though. Any alternative suggestions I should explore?
>
>--Jered
Re: ATS and Let's Encrypt automation
Posted by Jered Floyd <je...@convivian.com>.
This ended up working fine for my ATS environment. One point of confusion though -- the documentation claims that "traffic_ctl config reload" is sufficient after a change to ssl_multicert.config, but "traffic_ctl config status" afterwards reports "traffic_server requires restarting".
Is a "traffic_ctl server restart" required after modification of ssl_multicert.config?
--Jered
----- On Dec 5, 2016, at 3:05 PM, Jered Floyd <je...@convivian.com> wrote:
> Is anyone currently using ATS with Let's Encrypt as a certificate provider?
> My current plan is to do something like:
> 1) Run Apache Server locally on a non-standard port (e.g. 8000)
> 2) Add a rule mapping all access to /.well-known/acme-challenge/ to the local
> server:
> regex_map http://*/.well-known/acme-challenge/
> http://proxy-host.domain.com:8000/
> 3) Use certbot's "webroot" authenticator plugin to satisfy http-01 challenge
> types
> 4) Use certbot renew --post-hook to refresh ATS after certificate renewal
> This is relatively simple, but running another server locally feels inelegant. I
> don't believe ATS can be configured to serve local file system content, though.
> Any alternative suggestions I should explore?
> --Jered