Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ACME certificate generation #95

Merged
merged 14 commits into from
Nov 15, 2021
Merged

Add ACME certificate generation #95

merged 14 commits into from
Nov 15, 2021

Conversation

ecton
Copy link
Member

@ecton ecton commented Nov 11, 2021
edited
Loading

Closes #38.

Remaining tasks:

  • Move certificate and private key storage into the database, and encrypt it. (We'll eventually be wanting more than one certificate anyways).
  • Move the LetsEncrypt account cache into BonsaiDb.
  • Implement expiration check on startup for automatic renewal
  • Either implement a background task that automatically renews, or write up a task to do it built upon Implement persistent job queue and scheduling service #78.
  • Hook up cert resolver to return the current certificate.
  • ~~ [ ]Hook up pebble for CI.~~ Spun off Add automated ACME testing #96
  • Change how the private key is installed -- generating the PEM to decode it right away is silly.
  • Test new feature flag combinations.
  • Document new feature flags.

ecton added 12 commits November 10, 2021 20:25
@ecton
ACME certificates are working for QUIC
68ecc6e 
Need a little extra work to tie the websocket implementation together.
Things are slightly complicated due to multiple versions of rustls being
involved between fabruic and this acme implementation.

This doesn't have certificate renewal in it, and it needs to be cleaned
up a lot.
@ecton
ACME now works over websockets as well
617dbee
@ecton
Moved acme cache internally
9c3419a 
The certificates still need to be stored in the database, but I want to
ponder a little while longer before tackling that part -- I think the
Server should have its own Admin database, as the "local" database has no
need to know about domains and Acme.
@ecton
Replaced custom acme process
0127d06 
Now that the caching process works directly with Bonsai's certificate
storage, we can use the built-in order function -- greatly reducing the
complexity.
@ecton
Removed rcgen, changed account storage to update
0d45005
@ecton
Implemented automated renewal of acme certs
46cca5e
@ecton
Fixing feature flag compilation issues
cdb2fbd 
Hopefully all of them.
@ecton
Fixed feature flag name in matrix
56ceb20
@ecton
Fixing clippy issues with feature flag combos
60f8dfa
@ecton
Allowing fallback to der when parsing private key
72b060e 
I implemented this because of a todo in PR #95. However, after
implementing it, I realized that the todo was outdated -- I was no
longer taking a der-encded private key and wrapping it in a pem before
calling this function. I needed to in an older implementation of the
manually-driven acme loop, but since moving to the built-in `order`
function it was no longer needed.

However, it seems like a perfectly fine idea to keep in place, so I've
done that.
@ecton
Added CollectionView and two view defining macros
057aed8 
Both of these additions are to try to reduce some of the tedium I've
been encountering in day-to-day usage.
@ecton
Added "hosted" database for server
6d1bc4e 
TlsCertificates are a little bit more future-proofed, although currently
install_certificate just assumes the certificate matches the
`server_name`.

This also finished removing some of the holdover fabruic-only "server
name" functionality from pinned certificates. Everything is unified
through this setting.
@ecton ecton mentioned this pull request Nov 14, 2021
Open
@ecton ecton marked this pull request as ready for review November 15, 2021 03:49
@ecton ecton merged commit 953f539 into main Nov 15, 2021
@ecton ecton deleted the acme branch November 15, 2021 03:49
This was referenced Nov 15, 2021
Closed
Closed
@ecton ecton added this to the v0.1.0-alpha.1 milestone Dec 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.1.0 (Alpha 1)
Development

Successfully merging this pull request may close these issues.

Add automated ACME certificate generation
1 participant
@ecton