Bug 59175 - add ACME protocol support for automated certificate management
Summary: add ACME protocol support for automated certificate management
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-13 13:53 UTC by Josh Aas
Modified: 2018-05-26 13:07 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Aas 2016-03-13 13:53:00 UTC
Many people want to use SSL/TLS, and should, but getting and managing certificates is a pain. Server software can relieve much of the pain by supporting the ACME protocol and automatically retrieving and managing certificates for configured domains.

The ACME protocol can be supported by any certificate authority (CA) and an IETF WG is working on standardizing it.

Here is an example of an HTTP server getting a certificate for a domain automatically using ACME and Let's Encrypt:

https://www.youtube.com/watch?v=nk4EWHvvZtI

We should try to make it this easy in apache as well.
Comment 1 Reindl Harald 2016-03-20 10:41:36 UTC
disclaimer: i am not a httpd-developer

the httpd process handling incoming requests MUST NOT have write permissions to the certificates and even not read permissions after drop privileges - so how do you imagine this working in a secure manner?
Comment 2 Yann Ylavic 2016-03-29 16:12:40 UTC
I agree with Harald here, managing certificates either in the parent process which is problematic because "root" shouldn't issue outgoing connections (to letsencrypt or whatever), or using an unpriviledged/dedicated process which is a concern with regard to the final owner/rights on the certificates.

IMHO, this is a tool's job (probably from the distro) to provide this feature and configure httpd accordingly.
Comment 3 Peter Eckersley 2016-03-30 00:31:58 UTC
If that's the approach that the Apache team considers most correct, the EFF client (currently called "letsencrypt" but we're going to rename it shortly) has already started on it to some degree.

The plugin code here is designed to try to configure httpd to speak TLS correctly:

https://github.com/letsencrypt/letsencrypt/tree/master/letsencrypt-apache/letsencrypt_apache

At the moment, that code works for about 95% of Apache configurations, but there are definitely cases it doesn't handle yet, such as:

* WSGI (https://github.com/letsencrypt/letsencrypt/issues/1820)
* Multiple vhosts per file (https://github.com/letsencrypt/letsencrypt/issues/1042)

It would be great to have some attention and energy from the Apache team to help ensure that this code is robust, architecturally sensible, and on path that will work for 99.x or 100% of users in the future.

There are definitely some pieces that feel hackish at the moment, such as all of the vhost juggling logic and the fact that we rely on Augeas's imperfect grammar for Apache config files:

https://github.com/hercules-team/augeas/blob/master/lenses/httpd.aug
Comment 4 Josh Aas 2016-03-30 01:13:43 UTC
An external tool is going to have some hard user experience limitations no matter how good it is. In a world where HTTPS is what most people want, or even required by browsers (it's where we're headed), Apache is going to want to do better than that.

I'm confident that if the Apache team wants to provide first-class integrated support for HTTPS and certificate management via ACME they can find a way to do it securely.

In the mean time external tools will have to suffice, and as Peter said it would be nice to have help with them, but I think we should focus on discussing full integration here.
Comment 5 Christophe JAILLET 2018-05-26 13:07:06 UTC
Have a look at mod_md (https://httpd.apache.org/docs/current/mod/mod_md.html) available in httpd 2.4.30+.

Currently, the module is still marked as "experimental".