-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Let's Encrypt / ACME certificate and reloading #41006
Comments
@cescoffier Starting analyzing it. Before going to doing CLI, I'd like to experiment with the protocol, etc, in the next few days |
@cescoffier, @maxandersen, I've started with a little project today to see how it works, https://github.com/sberyozkin/quarkus-quickstarts/pull/new/lets_encrypt It is not meant to be merged, but just to get a feeling for it. Getting a technical error, on the challenge verification, but it is a start |
Turns out NGrok's own ACME client intercepts the challenge and breaks the flow, request to the NGROK support asking for options to workaround it has been sent |
@cescoffier The demo I've prototyped is now working for the first certificate and I expect it to work for the renewal, though the flow I've prototyped there is a little bit different to what you suggested above, let's sync on it a bit later. The flow there as follows, at the moment no CLI is used, but that can be factored in somehow later. At the moment the demo depends on
At the moment it is returned in the browser but can be copied or HTTP posted to the target. Now, if you do Also, as far as I understand, we can't really copy this content into a folder since we have a private key alongside the chain, so this content will have to be inserted into a keystore which is controlled by Quarkus, I'm not sure we want to grant CLI the same kind of access to the server keystore. That said, I see Vert.x can detect changes in the The good news is that WildFly Elytron X509 Acme client works perfectly which has definitely saved us a lot of time. CC @fjuma @Skyllarr |
Just had a quick call with @sberyozkin to align how this could be done. We ended up proposing the following.
So, for the user, it would be something like:
(NOTE: The two commands could be merged) Once this is done, the application will serve https://my-domain-name.org/ using a valid certificate. For renewal, it's as simple as:
Once this is done, the application will use the updated certificate. When let's encrypt is enabled in the application (build time config), it exposes (work done in https://github.com/quarkusio/quarkus/compare/main...cescoffier:quarkus:lets-encrypt?expand=1):
When a specific TLS configuration name is targetted, The CLI plugin uses the Elytron Acme client and an implementation of the Acme client SPI. The implementation of the SPI will use an HTTP client to call the application. The next steps are:
|
@sberyozkin came with a small modification of the protocol. When seting up the challenge, we must pass a token and the challenge. The token must be checked before serving the challenge. Thus, now:
The https://github.com/quarkusio/quarkus/compare/main...cescoffier:quarkus:lets-encrypt?expand=1 branch has been updated. CC @sberyozkin |
Thanks for a quick update, @cescoffier, testing now |
We have worked with @cescoffier on getting the first cut of Acme Client and supporting set of actions for CLI to be built, cescoffier#281 |
We now have working commands, PR should be opened soon! |
Thanks @cescoffier for wrapping it all into CLI 👍 , here is a doc PR, cescoffier#283. |
Description
This overall idea is to provide a CLI plugin that will handle the ACME protocol to:
Implementation ideas
If enabled, the CLI plugin will interact with the (running) Quarkus application (through the management interface) to configure the ACME challenge. Then, it would download the certificates and configure the application to use them.
The reloading follows the same idea. Once the challenge is completed, the new certificates are downloaded and copied to the correct location, and the application is notified to reload the certificate (the new TLS registry has a
reload
method)The Elyton team has provided the code to deal with the challenge and the certificates' downloading. We plan to reuse that code and focus on the CLI part and integration with the Quarkus application.
The ACME protocol is not part of the application itself on purpose. It should still be an explicit administrative action.
The text was updated successfully, but these errors were encountered: