__letsencrypt_cert rewrite and subtypes, analyse phase #57

New Issue

ungleich-gitea · 2021-11-20T11:25:17Z

ungleich-gitea commented

2021-11-20 11:25:17 +00:00

facts: currently __letsencrypt_cert is a mess and there are many acme clients.

idea: __letsencrypt_cert should have subtypes for every client with common interface.

clients we should support:

https://certbot.eff.org = __acme_certbot
https://github.com/acmesh-official/acme.sh = __acme_sh
https://github.com/dehydrated-io/dehydrated = __acme_dehydrated
???
100% cdist acme client without external client dependency = __acme_cdist

parameters we need:

--mail <mail-addr>
--domain <domain-name> (multiple)
--type <certbot|acme|dehydrated> (default: certbot)
--validation <http-01:webroot=/var/www|what-ever:foo-bar>
--webroot(-path)? <path-to-webroot> (shorthand for --validation http-01:webroot=/path/to/webroot etc)
--extra-args <args> (multiple, pass more specific options to the backend)

--webroot or --validation must be set, because we need validation method.

not sure:

--key-path (optional, default is /etc/ssl/private/? not needed by certbot in some cases)
--cert-path (optional, default is /etc/ssl/certs/? not needed by certbot in some cases)
--pre-renewal-hook (optional, multiple)
--deploy-renewal-hook (optional, multiple)
--post-renewal-hook (optional, multiple)
--server (optional, which server to use, staging or any other acme compatible server)
--automatic-renewal (boolean, not needed with some distros/clients)
--standalone (boolean, spawns built-in httpd for challange)

if subtype doesn't support hook, then always throw exit 1?

some clients doesn't have hooks, so we have to work round that. definitely pre and post hooks are needed, not sure about deploy.

what else? discuss, propose better parameter names etc.

**facts:** currently `__letsencrypt_cert` is a mess and there are many acme clients. **idea:** `__letsencrypt_cert` should have subtypes for every client with common interface. clients we should support: * https://certbot.eff.org = `__acme_certbot` * https://github.com/acmesh-official/acme.sh = `__acme_sh` * https://github.com/dehydrated-io/dehydrated = `__acme_dehydrated` * ??? * 100% cdist acme client without external client dependency = `__acme_cdist` **parameters we need:** * `--mail <mail-addr>` * `--domain <domain-name>` (multiple) * `--type <certbot|acme|dehydrated>` (default: `certbot`) * `--validation <http-01:webroot=/var/www|what-ever:foo-bar>` * `--webroot(-path)? <path-to-webroot>` (shorthand for `--validation http-01:webroot=/path/to/webroot` etc) * `--extra-args <args>` (multiple, pass more specific options to the backend) `--webroot` or `--validation` must be set, because we need validation method. **not sure:** * `--key-path` (optional, default is `/etc/ssl/private/`? not needed by certbot in some cases) * `--cert-path` (optional, default is `/etc/ssl/certs/`? not needed by certbot in some cases) * `--pre-renewal-hook` (optional, multiple) * `--deploy-renewal-hook` (optional, multiple) * `--post-renewal-hook` (optional, multiple) * `--server` (optional, which server to use, staging or any other acme compatible server) * `--automatic-renewal` (boolean, not needed with some distros/clients) * `--standalone` (boolean, spawns built-in httpd for challange) if subtype doesn't support hook, then always throw `exit 1`? some clients doesn't have hooks, so we have to work round that. definitely pre and post hooks are needed, not sure about deploy. what else? discuss, propose better parameter names etc.

ungleich-gitea commented

2021-11-20 15:32:05 +00:00

I agree with --type defaulting to certbot. I guess that's what most users would expect.
Users who want a different backend, can just use the --type parameter.

Not sure about the --webroot. --validation http-01:webroot=/var/www?
Maybe --validation should default to standalone mode, what do you think?

I agree with `--type` defaulting to `certbot`. I guess that's what most users would expect. Users who want a different backend, can just use the `--type` parameter. Not sure about the `--webroot`. `--validation http-01:webroot=/var/www`? Maybe `--validation` should default to standalone mode, what do you think?

ungleich-gitea commented

2021-11-20 15:32:06 +00:00

I'm starting to get annoyed by this, bit me again today - __letsencrypt_cert is somewhat broken and needs to be fixed.

I'll do some priority ordering...

I'm starting to get annoyed by this, bit me again today - `__letsencrypt_cert` is somewhat broken and needs to be fixed. I'll do some priority ordering...

ungleich-gitea commented

2021-11-20 15:32:08 +00:00

mentioned in merge request !873

ungleich-gitea commented

2021-11-20 15:32:09 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:10 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:12 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:13 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:14 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:16 +00:00

shortest possible working type should be something like this:

__letsencrypt_cert example.com --mail hostmaster@example.com --webroot /var/www

now, how we decide which backend? we don't want too complex heuristics for that.

or maybe just set certbot as default for --type and call it a day. it's official client anyway :)

shortest possible working type should be something like this: ``` __letsencrypt_cert example.com --mail hostmaster@example.com --webroot /var/www ``` now, how we decide which backend? we don't want too complex heuristics for that. or maybe just set `certbot` as default for `--type` and call it a day. it's official client anyway :)

ungleich-gitea commented

2021-11-20 15:32:17 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:18 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:20 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:21 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:22 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:24 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:25 +00:00

changed the description

ungleich-gitea commented

2021-11-20 15:32:26 +00:00

that looks nice
agree
me neither because I don't use it, but some maybe does
but then again ju can use extra-args for standalone

1. that looks nice 2. agree 3. me neither because I don't use it, but some maybe does 4. but then again ju can use extra-args for standalone

ungleich-gitea commented

2021-11-20 15:32:28 +00:00

For us, support for different challenge types, i.e. DNS validation, would be really useful since we use Let's Encrypt certificates also for non-internet facing machines.
Moreover, DNS validation is required for wildcard certificates.

What do you think about having a --validation parameter that would accept a type and parameters for it?
e.g.:
- --validation http-01:webroot=/var/www
- --validation dns-01:add-script=/etc/getssl/scripts/dns-add.sh,del-script=/etc/getssl/scripts/dns-del.sh
- --validation alpn-01:dir=/srv/acme
A --type parameter should be available to select a "backend".
I'm not sure about the --standalone parameter as not all ACME clients support a standalone mode.
How about adding an extra-args parameter to pass more specific options to the backend?

1. For us, support for different [challenge types](https://letsencrypt.org/docs/challenge-types/), i.e. DNS validation, would be really useful since we use Let's Encrypt certificates also for non-internet facing machines. Moreover, DNS validation is required for wildcard certificates. What do you think about having a `--validation` parameter that would accept a type and parameters for it? e.g.: * `--validation http-01:webroot=/var/www` * `--validation dns-01:add-script=/etc/getssl/scripts/dns-add.sh,del-script=/etc/getssl/scripts/dns-del.sh` * `--validation alpn-01:dir=/srv/acme` 2. A `--type` parameter should be available to select a "backend". 3. I'm not sure about the `--standalone` parameter as not all ACME clients support a standalone mode. 4. How about adding an `extra-args` parameter to pass more specific options to the backend?

ungleich-gitea commented

2021-11-20 15:32:29 +00:00

what do we win if we have type with subtypes?

how do we decide in main type which subtype to use?

what's default fallback?

what do we win if we have type with subtypes? how do we decide in main type which subtype to use? what's default fallback?

ungleich-gitea commented

2021-11-20 15:32:30 +00:00

changed the description

Sign in to join this conversation.