-
ale authoredAdd dns-01 support, make the code more readable, add a testing mode that will generate self-signed certificates (for test environments that are not reachable from outside).
ale authoredAdd dns-01 support, make the code more readable, add a testing mode that will generate self-signed certificates (for test environments that are not reachable from outside).
acmeserver
Runs a daemon to manage a set of SSL certificates using the ACME protocol.
There are many similar tools, why another one? Well we need a few unique features:
- custom output code for certificates and private keys, so we can write them to replds and have them replicated to all front-ends;
- support for our DNS setup for dns-01 challenges, by sending RFC 2136 updates to all DNS servers in parallel.
For the rest it's a fairly common ACME automation tool, it supports the http-01 and dns-01 challenges (no tls-sni-01 because the tool is meant to be run behind a HTTPS proxy so it can't directly control the serving certificates).
Since this is a particularly critical piece of software, a few extra cautions are necessary in its development:
-
do not implement any ACME-specific code but use a well-maintained library instead (like golang.org/x/crypto/acme)
-
try to be robust against ACME high-level protocol changes by keeping this tool replaceable with certbot and a bunch of shell scripts. In particular we can do this by:
- keeping a directory structure for the output that's compatible with certbot
- having a way to independently push content to replds (which we do, by way of the replds command itself)
So the advantage of acmeserver becomes just the integration between the various components in a single package / binary (and monitoring, etc).