discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Erich Eckner <opennic AT eckner.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] broken https on reg.libre
- Date: Wed, 27 May 2020 11:18:51 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I went ahead with step 1.
You should be able to reach the acme server at https://playground.acme.libre
The TLS cert for that domain is issued via the same sever and is available for download here: https://playground.acme.libre/opennic_root_ca.crt
its sha512sum is: 52b9725e7e5efe5b0354bf28ba5069d37bf1ad6d71ffbb1e4de48d31409f6f7e0033b60797d3c2e5972ca91f14513f3b81f429e0f6147a962534868131f763b9
(no, I will not make this download more convenient right now, because adding that certificate *is* a security risk - see below)
The current CA-Chain looks as follows:
Root-CA resides on an always-on, not-from-internet-reachable machine (sry, I don't have offline machines, I don't have spare hardware tokens and I'm not yet (before we seddle on 2) willing to invest in additional such things).
Intermediate-CA resides on the above virtual server without any further protection (no HSM or alike).
This is not optimal from a security point of view, but should be sufficiently secure for testing purposes. I'm not too familiar with X.509, but maybe one can restrict the CNs and SANs which are allowed to be signed by this CA-Chain somehow? If so, please let me/us know and we can implement that, too!
Once you installed the root certificate on the to-be-validated server, getting certificates can be as simple as running `certbot --nginx --server https://playground.acme.libre` (for nginx, obviously - other webservers should be similarily easy).
Feel free to test and report back to me (or everyone). Let's see, if this works out well or if I/we get overwhelmed with problems ;-)
regards,
Erich
On Tue, 26 May 2020, Erich Eckner wrote:
-----BEGIN PGP SIGNATURE-----
Hi,
I got now acme2certifier running locally for private use. It needed a few fixes (which - thanks to being written in python - are quite easy to perform in-situ) and I expect more issues to surface, once the user base broadens (for example, I only tested with certbot, and I only tested http and dns challenges).
I suggest the following roadmap (open for discussion/suggestions, of course):
1. I set up a public-facing acme certifier on a not-so-secure host of mine (sry, I only have a virtual server available, which will be insufficiently secure for a CA, obviously) based on https://github.com/grindsa/acme2certifier. We treat this as experimental, but everyone is encouraged to get certificates for their opennic domains, use them and report issues to me. I try to fix them (of course, I would also be thankful about help, here :-D) and turn the proof-of-concept into a production-ready setup.
2. Meanwhile, we figure out, how the key infrastructure should look like: Who should hold what key, what should be the default validy duration, resign period, etc.
3. At some point, when we're satisfied with the status of 1 and 2, we set up the real CA (installation according to 1, design according to 2) and switch from using CA-1 to CA-3. Or, we might even switch gradually (depending on what we want in 2) and simply advertise CA-1 as non-experimental at some point.
What do you think?
regards,
Erich
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7OMH0ACgkQCu7JB1Xa
e1odwhAAn4DUAIwHfUG1vmrDlhWeTvX+qrG6KR4Hb7hzI8AOyZHKUk7G6Yyr3zHK
a09b5H3aK4u2+0i9aGATmk4ZAyWpV+Q9bwil977siILMwkliVc4l3xu7rdTHQFQb
4b/oobuzSiL3YfZWqih4oqIAITKbPpxj2jBNPCDeFv2J5NuEbwbvdVXeXBMidXjJ
yTDtVNEbrkuZRqHXFlt4eF2t/UrbW4aOnUC5ytFYeDtpZIpDmppGVfKZYaTRqSo5
2i7hj4XHeVGjlTeVO1Fk2wSiXyhz3biBbNy6FmgbwZirYR98cRfgm7f3zEYHzaYE
RNvQi1YIXmwMkQ8YoRZBodRGooip99hFAcvbow2CiKGmPvB0tETQ9BqHNDs7nDvl
PvaYwdx7tW41hu1BdXYRPIpVgubpFMYQMIx+oreRe0ZFdmRi0M/pl6JZzXoY+/x8
Zx/wDtkm1Gf18Pd6NriA+1gTaYhGF9e8YGRB/sKOpmkOZZ06UtpVxp1zW5vT4mdX
nptpvH+aj4B/Op+iQQys7/nAHnLYR+IRjE0VJyVvQPB2md2zZNIRYSPaEZQ7Q4Dx
wfH9gExFWHYqepbCQcNEQNU+nulVZgbqkPmmZlK6lyr8LdzSqzzTt51ZqLY/ZjtG
Aru/bhMn1qrlYL6c+50wJ+c6cI7P1kvZAmiNc1/HvkWUVbJ6DgU=
=bmX2
-----END PGP SIGNATURE-----
-
Re: [opennic-discuss] broken https on reg.libre
, (continued)
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
- Re: [opennic-discuss] broken https on reg.libre, Rouben, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/23/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/24/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, postmaster, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Amunak, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/26/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/27/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/27/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- [opennic-discuss] missing RRtypes on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/24/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/22/2020
Archive powered by MHonArc 2.6.19.