You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/03/13 14:53:00 UTC
[Bug 59175] New: add ACME protocol support for automated certificate
management
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
Bug ID: 59175
Summary: add ACME protocol support for automated certificate
management
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: jaas@kflag.net
Many people want to use SSL/TLS, and should, but getting and managing
certificates is a pain. Server software can relieve much of the pain by
supporting the ACME protocol and automatically retrieving and managing
certificates for configured domains.
The ACME protocol can be supported by any certificate authority (CA) and an
IETF WG is working on standardizing it.
Here is an example of an HTTP server getting a certificate for a domain
automatically using ACME and Let's Encrypt:
https://www.youtube.com/watch?v=nk4EWHvvZtI
We should try to make it this easy in apache as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
--- Comment #3 from pde <pd...@eff.org> ---
If that's the approach that the Apache team considers most correct, the EFF
client (currently called "letsencrypt" but we're going to rename it shortly)
has already started on it to some degree.
The plugin code here is designed to try to configure httpd to speak TLS
correctly:
https://github.com/letsencrypt/letsencrypt/tree/master/letsencrypt-apache/letsencrypt_apache
At the moment, that code works for about 95% of Apache configurations, but
there are definitely cases it doesn't handle yet, such as:
* WSGI (https://github.com/letsencrypt/letsencrypt/issues/1820)
* Multiple vhosts per file
(https://github.com/letsencrypt/letsencrypt/issues/1042)
It would be great to have some attention and energy from the Apache team to
help ensure that this code is robust, architecturally sensible, and on path
that will work for 99.x or 100% of users in the future.
There are definitely some pieces that feel hackish at the moment, such as all
of the vhost juggling logic and the fact that we rely on Augeas's imperfect
grammar for Apache config files:
https://github.com/hercules-team/augeas/blob/master/lenses/httpd.aug
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
--- Comment #1 from Reindl Harald <h....@thelounge.net> ---
disclaimer: i am not a httpd-developer
the httpd process handling incoming requests MUST NOT have write permissions to
the certificates and even not read permissions after drop privileges - so how
do you imagine this working in a secure manner?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
--- Comment #2 from Yann Ylavic <yl...@gmail.com> ---
I agree with Harald here, managing certificates either in the parent process
which is problematic because "root" shouldn't issue outgoing connections (to
letsencrypt or whatever), or using an unpriviledged/dedicated process which is
a concern with regard to the final owner/rights on the certificates.
IMHO, this is a tool's job (probably from the distro) to provide this feature
and configure httpd accordingly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
pde <pd...@eff.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pde-lists@eff.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
--- Comment #4 from Josh Aas <ja...@kflag.net> ---
An external tool is going to have some hard user experience limitations no
matter how good it is. In a world where HTTPS is what most people want, or even
required by browsers (it's where we're headed), Apache is going to want to do
better than that.
I'm confident that if the Apache team wants to provide first-class integrated
support for HTTPS and certificate management via ACME they can find a way to do
it securely.
In the mean time external tools will have to suffice, and as Peter said it
would be nice to have help with them, but I think we should focus on discussing
full integration here.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59175] add ACME protocol support for automated certificate
management
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59175
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Christophe JAILLET <ch...@wanadoo.fr> ---
Have a look at mod_md (https://httpd.apache.org/docs/current/mod/mod_md.html)
available in httpd 2.4.30+.
Currently, the module is still marked as "experimental".
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org