httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: mod_lets-encrypt
Date Sat, 14 Jan 2017 18:15:29 GMT

> On 14 Jan 2017, at 19:05, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> 
> On Sat, Jan 14, 2017 at 10:22 AM, Eric Covener <covener@gmail.com> wrote:
>> On Sat, Jan 14, 2017 at 11:19 AM, Eric Covener <covener@gmail.com> wrote:
>>> 
>>> I think if a feature/directive will turn on something that will write
>>> to configured keystores, it really shouldn't do or dictate much else.
>> 
>> Poorly phrased, but I think obtaining a cert should be separate from
>> things like further SSL configuration.
> 
> I think Dirk is suggesting that the core mod_ssl continues to exist, with
> sane defaults that require next to no specific directives other than to
> perhaps set the https protocol on port 443, and (I vote optionally) have
> a one line toggle for rewriting all port 80 requests to 443.
> 
> Note that h2 requests will continue to be honored on either port 80
> or 443, so this has to be crafted somewhat carefully.
> 
> I'm 100% in support of ensuring that mod_ssl runs with the most
> sensible choices in the most minimal config.
> 
> Any mod_letsencrypt can provision the certs but needs to do so
> while still root, before servicing requests (although there could be
> some bounce-step where the MPM begins satisfying requests,
> including the verification request necessary for letsencrypt.) We
> certainly don't want to parse any web response whatsoever while
> running as root.

Some of this will be needed - we need to be root to bind to port 80 — as the protocol (in
my reading) seems to demand it (now would be a good time to petition the draft to change this
for a random higher port).

In fact - that may be a nice feature - an, essential, empheral port.

And we will need to be able to respond to an HTTP request to a well known URL with the public
key/token — and post that have some fork/pid be root enough to write a few things to safe
places.

> I do believe the proposal should require a one line directive to
> enable this, particularly for the compiled-in static many modules
> build of httpd. It's shouldn't be simply a matter of loading some
> mod_letsencrypt without also some 'LetsEncrypt on" directive
> in the ssl vhost config.

The alternative is bundling a small shell script, like  stripped down
‘dehydrate’:

	https://github.com/lukas2511/dehydrated/blob/master/dehydrated <https://github.com/lukas2511/dehydrated/blob/master/dehydrated>

as a tool. And augment it with examples. But then you are back to square one.

Dw.
Mime
View raw message