NEW(ish): security/acme-client

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

NEW(ish): security/acme-client

Stuart Henderson
I generally prefer to use acme-client than the python or bash+openssl(1)
monstrosities to fetch SSL certificates, but I have some systems where
I need to use the DNS-01 challenge type which was removed from the
version in base.

Any objections or OKs to adding a port for Kristaps' original version
(attached)?


acme-client.tgz (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Stuart Henderson
On 2018/01/15 12:16, Stuart Henderson wrote:
> I generally prefer to use acme-client than the python or bash+openssl(1)
> monstrosities to fetch SSL certificates, but I have some systems where
> I need to use the DNS-01 challenge type which was removed from the
> version in base.
>
> Any objections or OKs to adding a port for Kristaps' original version
> (attached)?
>



Hrrmmmm. Now I've tried to actually run dns-01 from a shell script rather
than faking it with copy-and-paste, I'm not sure if it's actually going to
be all that useful...

The mechanism requires

1. read from acme-client's stdout.
2. run a command based on that output.
3. when the command has run, echo the line back to acme-client's stdin.

(repeat until EOF from acme-client.)

I've tried with "eacme-client | (while read... )", various ways with
fifos, and coroutines, but it all blocks somewhere. Now I started
reading the expect(1) manual to try and do it that way which is never
a good sign...

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Landry Breuil-5
On Mon, Jan 15, 2018 at 05:11:24PM +0000, Stuart Henderson wrote:

> On 2018/01/15 12:16, Stuart Henderson wrote:
> > I generally prefer to use acme-client than the python or bash+openssl(1)
> > monstrosities to fetch SSL certificates, but I have some systems where
> > I need to use the DNS-01 challenge type which was removed from the
> > version in base.
> >
> > Any objections or OKs to adding a port for Kristaps' original version
> > (attached)?
> >
>
>
>
> Hrrmmmm. Now I've tried to actually run dns-01 from a shell script rather
> than faking it with copy-and-paste, I'm not sure if it's actually going to
> be all that useful...
>
> The mechanism requires
>
> 1. read from acme-client's stdout.
> 2. run a command based on that output.
> 3. when the command has run, echo the line back to acme-client's stdin.
>
> (repeat until EOF from acme-client.)
>
> I've tried with "eacme-client | (while read... )", various ways with
> fifos, and coroutines, but it all blocks somewhere. Now I started
> reading the expect(1) manual to try and do it that way which is never
> a good sign...
>

Can't acme-client just spawn a user-configurable command and communicate
with it via fifos/stdin/stdout ? Fwiw, for dns-01 i use acme.sh which
works, but i agree it's not pretty....

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Alexander Hall
In reply to this post by Stuart Henderson


On January 15, 2018 6:11:24 PM GMT+01:00, Stuart Henderson <[hidden email]> wrote:

>On 2018/01/15 12:16, Stuart Henderson wrote:
>> I generally prefer to use acme-client than the python or
>bash+openssl(1)
>> monstrosities to fetch SSL certificates, but I have some systems
>where
>> I need to use the DNS-01 challenge type which was removed from the
>> version in base.
>>
>> Any objections or OKs to adding a port for Kristaps' original version
>> (attached)?
>>
>
>
>
>Hrrmmmm. Now I've tried to actually run dns-01 from a shell script
>rather
>than faking it with copy-and-paste, I'm not sure if it's actually going
>to
>be all that useful...
>
>The mechanism requires
>
>1. read from acme-client's stdout.
>2. run a command based on that output.
>3. when the command has run, echo the line back to acme-client's stdin.
>
>(repeat until EOF from acme-client.)
>
>I've tried with "eacme-client | (while read... )", various ways with
>fifos, and coroutines, but it all blocks somewhere. Now I started
>reading the expect(1) manual to try and do it that way which is never
>a good sign...

A good recipe for lockups, but did you try sth like

$ dns-01 |& acme-client <&p >&p

?

/Alexander

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Stuart Henderson
On 2018/01/15 19:34, Alexander Hall wrote:

>
>
> On January 15, 2018 6:11:24 PM GMT+01:00, Stuart Henderson <[hidden email]> wrote:
> >On 2018/01/15 12:16, Stuart Henderson wrote:
> >> I generally prefer to use acme-client than the python or
> >bash+openssl(1)
> >> monstrosities to fetch SSL certificates, but I have some systems
> >where
> >> I need to use the DNS-01 challenge type which was removed from the
> >> version in base.
> >>
> >> Any objections or OKs to adding a port for Kristaps' original version
> >> (attached)?
> >>
> >
> >
> >
> >Hrrmmmm. Now I've tried to actually run dns-01 from a shell script
> >rather
> >than faking it with copy-and-paste, I'm not sure if it's actually going
> >to
> >be all that useful...
> >
> >The mechanism requires
> >
> >1. read from acme-client's stdout.
> >2. run a command based on that output.
> >3. when the command has run, echo the line back to acme-client's stdin.
> >
> >(repeat until EOF from acme-client.)
> >
> >I've tried with "eacme-client | (while read... )", various ways with
> >fifos, and coroutines, but it all blocks somewhere. Now I started
> >reading the expect(1) manual to try and do it that way which is never
> >a good sign...
>
> A good recipe for lockups, but did you try sth like
>
> $ dns-01 |& acme-client <&p >&p
>
> ?

Awesome! That works well enough, thank you very much.

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Florian Obser-2
In reply to this post by Landry Breuil-5
On Mon, Jan 15, 2018 at 06:40:01PM +0100, Landry Breuil wrote:
> On Mon, Jan 15, 2018 at 05:11:24PM +0000, Stuart Henderson wrote:
> > On 2018/01/15 12:16, Stuart Henderson wrote:
> > > I generally prefer to use acme-client than the python or bash+openssl(1)
> > > monstrosities to fetch SSL certificates, but I have some systems where
> > > I need to use the DNS-01 challenge type which was removed from the
> > > version in base.

IIRC we didn't remove it, we imported before Kristaps' implemented
dns-01. Then I looked how he implemented it, he mumbled something
about popen and I ran away screaming...

> > >
> > > Any objections or OKs to adding a port for Kristaps' original version
> > > (attached)?
> > >
> >
> >
> >
> > Hrrmmmm. Now I've tried to actually run dns-01 from a shell script rather
> > than faking it with copy-and-paste, I'm not sure if it's actually going to
> > be all that useful...
> >
> > The mechanism requires
> >
> > 1. read from acme-client's stdout.
> > 2. run a command based on that output.
> > 3. when the command has run, echo the line back to acme-client's stdin.
> >
> > (repeat until EOF from acme-client.)

... with good reason as you discovered.

> >
> > I've tried with "eacme-client | (while read... )", various ways with
> > fifos, and coroutines, but it all blocks somewhere. Now I started
> > reading the expect(1) manual to try and do it that way which is never
> > a good sign...

While what Kristaps' implemented looked doable in theory, I thought it
would be very difficult to add to cronjobs or the like.

> >
>
> Can't acme-client just spawn a user-configurable command and communicate
> with it via fifos/stdin/stdout ? Fwiw, for dns-01 i use acme.sh which
> works, but i agree it's not pretty....
>

The way Benno and me wanted to implement it (but ENOTIME) was that you call
acme-client multiple times.
1st call: give me the things that I need to put into DNS
2nd call: I put things into DNS, go ahead, do your thing.

I have not looked at the protocol though. Maybe you need more calls?

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Stuart Henderson
On 2018/01/15 19:46, Florian Obser wrote:

> On Mon, Jan 15, 2018 at 06:40:01PM +0100, Landry Breuil wrote:
> > On Mon, Jan 15, 2018 at 05:11:24PM +0000, Stuart Henderson wrote:
> > > On 2018/01/15 12:16, Stuart Henderson wrote:
> > > > I generally prefer to use acme-client than the python or bash+openssl(1)
> > > > monstrosities to fetch SSL certificates, but I have some systems where
> > > > I need to use the DNS-01 challenge type which was removed from the
> > > > version in base.
>
> IIRC we didn't remove it, we imported before Kristaps' implemented
> dns-01. Then I looked how he implemented it, he mumbled something
> about popen and I ran away screaming...

Ahh - I thought it was there because I saw -t in getopt, but it turns out
that was used for something else previously.

> > > > Any objections or OKs to adding a port for Kristaps' original version
> > > > (attached)?
> > > >
> > >
> > >
> > >
> > > Hrrmmmm. Now I've tried to actually run dns-01 from a shell script rather
> > > than faking it with copy-and-paste, I'm not sure if it's actually going to
> > > be all that useful...
> > >
> > > The mechanism requires
> > >
> > > 1. read from acme-client's stdout.
> > > 2. run a command based on that output.
> > > 3. when the command has run, echo the line back to acme-client's stdin.
> > >
> > > (repeat until EOF from acme-client.)
>
> ... with good reason as you discovered.
>
> > >
> > > I've tried with "eacme-client | (while read... )", various ways with
> > > fifos, and coroutines, but it all blocks somewhere. Now I started
> > > reading the expect(1) manual to try and do it that way which is never
> > > a good sign...
>
> While what Kristaps' implemented looked doable in theory, I thought it
> would be very difficult to add to cronjobs or the like.

It's quite a clever way to avoid a bunch of extra complication to spawn
a process from a safe place within acme-client. But it's painful to figure
out how to use it.

> > Can't acme-client just spawn a user-configurable command and communicate
> > with it via fifos/stdin/stdout ? Fwiw, for dns-01 i use acme.sh which
> > works, but i agree it's not pretty....
>
> The way Benno and me wanted to implement it (but ENOTIME) was that you call
> acme-client multiple times.
> 1st call: give me the things that I need to put into DNS
> 2nd call: I put things into DNS, go ahead, do your thing.
>
> I have not looked at the protocol though. Maybe you need more calls?

It looks like you can have up to 300 pending auths with letsencrypt's
rate limits on the production CA, so I think it should be possible to use
2 calls up to that limit (as long as you don't have auths get interrupted).
That wouldn't be particularly restrictive for typical single/small
users, but hosting providers with a lot of client domains to renew
at once could bump into it.

Another question is which is easier to do: keeping state to separate
things into 2 calls, or reworking things so a separate auth process
can be spawned from a safe place.

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Alexander Hall
In reply to this post by Stuart Henderson


On January 15, 2018 7:46:16 PM GMT+01:00, Stuart Henderson <[hidden email]> wrote:

>On 2018/01/15 19:34, Alexander Hall wrote:
>>
>>
>> On January 15, 2018 6:11:24 PM GMT+01:00, Stuart Henderson
><[hidden email]> wrote:
>> >On 2018/01/15 12:16, Stuart Henderson wrote:
>> >> I generally prefer to use acme-client than the python or
>> >bash+openssl(1)
>> >> monstrosities to fetch SSL certificates, but I have some systems
>> >where
>> >> I need to use the DNS-01 challenge type which was removed from the
>> >> version in base.
>> >>
>> >> Any objections or OKs to adding a port for Kristaps' original
>version
>> >> (attached)?
>> >>
>> >
>> >
>> >
>> >Hrrmmmm. Now I've tried to actually run dns-01 from a shell script
>> >rather
>> >than faking it with copy-and-paste, I'm not sure if it's actually
>going
>> >to
>> >be all that useful...
>> >
>> >The mechanism requires
>> >
>> >1. read from acme-client's stdout.
>> >2. run a command based on that output.
>> >3. when the command has run, echo the line back to acme-client's
>stdin.
>> >
>> >(repeat until EOF from acme-client.)
>> >
>> >I've tried with "eacme-client | (while read... )", various ways with
>> >fifos, and coroutines, but it all blocks somewhere. Now I started
>> >reading the expect(1) manual to try and do it that way which is
>never
>> >a good sign...
>>
>> A good recipe for lockups, but did you try sth like
>>
>> $ dns-01 |& acme-client <&p >&p
>>
>> ?
>
>Awesome! That works well enough, thank you very much.

Heh, you're welcome. I really wasn't sure it would. :-)

Reply | Threaded
Open this post in threaded view
|

Re: NEW(ish): security/acme-client

Stuart Henderson
In reply to this post by Stuart Henderson
On 2018/01/15 12:16, Stuart Henderson wrote:
> I generally prefer to use acme-client than the python or bash+openssl(1)
> monstrosities to fetch SSL certificates, but I have some systems where
> I need to use the DNS-01 challenge type which was removed from the
> version in base.
>
> Any objections or OKs to adding a port for Kristaps' original version
> (attached)?
>

There was a bit of discussion about this earlier but I didn't get much
feedback for the port itself, I still need this and would like to commit
it rather than have to build locally (at least until base acme-client
regains support for DNS-01).

Any OKs to import?

(Using /etc/ssl instead of ${SYSCONFDIR}/ssl is intentional).


acme-client.tgz (1K) Download Attachment