Using Let's Encrypt / ACME with ocserv
Kevin Cernekee
cernekee at gmail.com
Mon Jan 25 12:04:44 PST 2016
On Mon, Jan 25, 2016 at 11:24 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
>> The special SNI value and the special cert are dynamically generated
>> during the ACME exchange. If you wanted to build support into
>> ocserv,
>> you could accept the Z value through dbus and autogenerate the cert +
>> SNI name. Not sure how "invasive" all of this is, though.
>
> I would not like to introduce a dbus dependency just for that. occtl
> could be used to provide that input, but still the webroot that you
> mention below is far much simpler.
Err, right, for some reason I thought occtl was using dbus. Oops.
>> One downside is that many ACME clients only support webroot. So I
>> guess this would probably be implemented as a plugin for the
>> reference client.
>
> Well the webroot thing can be combined easily with ocserv as it only
> requires the HTTP port. Isn't running a temporary HTTP server in
> parallel with ocserv a simpler solution?
Yes, I'm using the standalone plugin to do that now. Fortunately,
there is nothing else running on port 80 on this IP, so it's not a
major problem.
I really hope they reconsider their decision to drop TLS webroot
support - it's even in the spec. If that happens I'll send my ocserv
ACME webroot patch.
More information about the openconnect-devel
mailing list