Automatic Let's Encrypt certificates for user-provided domains #836

iwilltry42 · 2022-11-02T22:38:34Z

Note: This uses the HTTP01 challenge, which requires port 80 (on the ingress controller) to be accessible from the outside.

Other Changes

moved let's encrypt logic to its own package (including the wildcard certificate logic)
the on-acorn.io wildcard certificate is now treated just like any other certificate, meaning that the certificate secret handler will renew it if needed (independent from the DNS config handler)

To-Do

Move long-running jobs to goroutines
Proper "locking" for running requests
Hashing the ACME Account should include the Private Key which is the actual identifier
- Scratch that, the private key should be re-generated if URL/E-Mail changed as we'd re-register an ACME account in that case.

Ref #206 & #486

- moved TLS functionality out of acorn package - created new router middlewares to filter for acorn-managed TLS secrets - implement handler skeletons for initial provisioning and renewal of certificates Signed-off-by: Thorsten Klein <tk@thklein.io>

Signed-off-by: Thorsten Klein <tk@thklein.io>

…nd user-provided domain certificates Signed-off-by: Thorsten Klein <tk@thklein.io>

… tls renewal tasks Signed-off-by: Thorsten Klein <tk@thklein.io>

iwilltry42 added 2 commits October 26, 2022 22:50

change: cleanup letsencrypt logic

16af8b9

Signed-off-by: Thorsten Klein <tk@thklein.io>

iwilltry42 requested review from ibuildthecloud and cjellick November 2, 2022 22:38

iwilltry42 self-assigned this Nov 2, 2022

change: enable TLS via ACME HTTP01 for user-provided domains

eb78b41

Signed-off-by: Thorsten Klein <tk@thklein.io>

iwilltry42 force-pushed the iwilltry42/issue206 branch from e1c6799 to eb78b41 Compare November 2, 2022 22:52

iwilltry42 added 2 commits November 3, 2022 11:09

change: implement automatic certificate renewal

793463e

Signed-off-by: Thorsten Klein <tk@thklein.io>

change: unify provisioning/renewal of on-acorn wildcard certificate a…

2203d5d

…nd user-provided domain certificates Signed-off-by: Thorsten Klein <tk@thklein.io>

iwilltry42 force-pushed the iwilltry42/issue206 branch from 3c84dd0 to 98805fb Compare November 3, 2022 22:20

change: use domain locking map and goroutines to extract long-running…

845f2ed

… tls renewal tasks Signed-off-by: Thorsten Klein <tk@thklein.io>

iwilltry42 force-pushed the iwilltry42/issue206 branch from 98805fb to 845f2ed Compare November 3, 2022 22:39

cjellick approved these changes Nov 16, 2022

View reviewed changes

cjellick merged commit 6ded642 into acorn-io:main Nov 16, 2022

iwilltry42 deleted the iwilltry42/issue206 branch November 17, 2022 07:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automatic Let's Encrypt certificates for user-provided domains #836

Automatic Let's Encrypt certificates for user-provided domains #836

iwilltry42 commented Nov 2, 2022 •

edited

Automatic Let's Encrypt certificates for user-provided domains #836

Automatic Let's Encrypt certificates for user-provided domains #836

Conversation

iwilltry42 commented Nov 2, 2022 • edited

Other Changes

To-Do

iwilltry42 commented Nov 2, 2022 •

edited