discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] broken https on reg.libre

From: Erich Eckner <opennic AT eckner.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] broken https on reg.libre
Date: Wed, 27 May 2020 11:18:51 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I went ahead with step 1.
You should be able to reach the acme server at https://playground.acme.libre

The TLS cert for that domain is issued via the same sever and is available for download here: https://playground.acme.libre/opennic_root_ca.crt
its sha512sum is: 52b9725e7e5efe5b0354bf28ba5069d37bf1ad6d71ffbb1e4de48d31409f6f7e0033b60797d3c2e5972ca91f14513f3b81f429e0f6147a962534868131f763b9

(no, I will not make this download more convenient right now, because adding that certificate *is* a security risk - see below)

The current CA-Chain looks as follows:

Root-CA resides on an always-on, not-from-internet-reachable machine (sry, I don't have offline machines, I don't have spare hardware tokens and I'm not yet (before we seddle on 2) willing to invest in additional such things).

Intermediate-CA resides on the above virtual server without any further protection (no HSM or alike).

This is not optimal from a security point of view, but should be sufficiently secure for testing purposes. I'm not too familiar with X.509, but maybe one can restrict the CNs and SANs which are allowed to be signed by this CA-Chain somehow? If so, please let me/us know and we can implement that, too!

Once you installed the root certificate on the to-be-validated server, getting certificates can be as simple as running `certbot --nginx --server https://playground.acme.libre` (for nginx, obviously - other webservers should be similarily easy).

Feel free to test and report back to me (or everyone). Let's see, if this works out well or if I/we get overwhelmed with problems ;-)

regards,
Erich

On Tue, 26 May 2020, Erich Eckner wrote:

Hi,

I got now acme2certifier running locally for private use. It needed a few fixes (which - thanks to being written in python - are quite easy to perform in-situ) and I expect more issues to surface, once the user base broadens (for example, I only tested with certbot, and I only tested http and dns challenges).

I suggest the following roadmap (open for discussion/suggestions, of course):

1. I set up a public-facing acme certifier on a not-so-secure host of mine (sry, I only have a virtual server available, which will be insufficiently secure for a CA, obviously) based on https://github.com/grindsa/acme2certifier. We treat this as experimental, but everyone is encouraged to get certificates for their opennic domains, use them and report issues to me. I try to fix them (of course, I would also be thankful about help, here :-D) and turn the proof-of-concept into a production-ready setup.

2. Meanwhile, we figure out, how the key infrastructure should look like: Who should hold what key, what should be the default validy duration, resign period, etc.

3. At some point, when we're satisfied with the status of 1 and 2, we set up the real CA (installation according to 1, design according to 2) and switch from using CA-1 to CA-3. Or, we might even switch gradually (depending on what we want in 2) and simply advertise CA-1 as non-experimental at some point.

What do you think?

regards,
Erich

Re: [opennic-discuss] broken https on reg.libre , (continued)