Using Let's Encrypt / ACME with ocserv
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Mon Jan 25 11:24:26 PST 2016
On Mon, 2016-01-25 at 09:13 -0800, Kevin Cernekee wrote:
> On Mon, Jan 25, 2016 at 1:46 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
> > On Sun, Jan 24, 2016 at 10:17 PM, Kevin Cernekee <
> > cernekee at gmail.com> wrote:
> > > I set this up earlier today and ran into two issues:
> > >
> > > 1) `occtl reload` doesn't reload certs/keys, since they live in
> > > the
> > > perm_cfg. It would be nice if it did, just to avoid kicking off
> > > connected clients during the cert refresh every ~60-90 days.
> >
> > The difficult part when doing that, is to have some workers spawned
> > before reload with the old certificate in memory and accessing the
> > security module after reload with the new key. If the certificate
> > update process kept the old key, that would work, but if a new key
> > was
> > issued not. We could of course make these fail with a temporary
> > http
> > error.
> >
> > > 2) I added a new worker-http-handler to ocserv that would allow
> > > it to
> > > answer ACME challenges using the widely-supported "webroot"
> > > method,
> > > only to find that webroot is forbidden on TLS connections:
> > > https://github.com/letsencrypt/letsencrypt/issues/2150
> > > Ideally, a VPN gateway could implement ACME without having to
> > > open up
> > > port 80. Has anyone found a way around this restriction?
> >
> > No idea. But if there is something that ocserv could do to automate
> > this certificate issuing let me know. I think that could be an
> > interesting thing to add.
>
> The other option is to set up ocserv to respond with a special
> self-signed cert to incoming connections that use a special SNI
> value:
> > https://letsencrypt.github.io/acme-spec/#rfc.section.7.2
All the described methods look quite complex to use for a simple
server. The SNI thing it requires the server to generate a self signed
certificate for this connection which is not the simplest thing to do.
No wonder they use plugins to the server to make that work.
It is certainly do-able but it is not trivial to add that support, and
I find their selected protocol quite questionable.
> The special SNI value and the special cert are dynamically generated
> during the ACME exchange. If you wanted to build support into
> ocserv,
> you could accept the Z value through dbus and autogenerate the cert +
> SNI name. Not sure how "invasive" all of this is, though.
I would not like to introduce a dbus dependency just for that. occtl
could be used to provide that input, but still the webroot that you
mention below is far much simpler.
> One downside is that many ACME clients only support webroot. So I
> guess this would probably be implemented as a plugin for the
> reference client.
Well the webroot thing can be combined easily with ocserv as it only
requires the HTTP port. Isn't running a temporary HTTP server in
parallel with ocserv a simpler solution?
regards,
Nikos
More information about the openconnect-devel
mailing list