Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] ACME: experimental support for IP identifier validation #53228

Closed
wants to merge 2 commits into
base: devel
from

Conversation

Projects
None yet
3 participants
@felixfontein
Copy link
Contributor

felixfontein commented Mar 3, 2019

SUMMARY

Implements experimental support for draft-ietf-acme-ip-04 to acme_certificate. Support might be implemented eventually in Pebble (letsencrypt/pebble#161); if it is, this can actually be tested. (No idea if this will ever be supported by Let's Encrypt or other ACME-based CAs, though...)

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

acme_certificate

@ansibot

This comment has been minimized.

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Mar 3, 2019

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

lib/ansible/module_utils/acme.py:823:24: undefined-variable Undefined variable 'self'
lib/ansible/module_utils/acme.py:859:94: undefined-variable Undefined variable 'san'

The test ansible-test sanity --test pep8 [explain] failed with 1 error:

lib/ansible/module_utils/acme.py:842:1: E302 expected 2 blank lines, found 1

click here for bot help

@felixfontein felixfontein force-pushed the felixfontein:acme-ip-support branch from 54be138 to 051dadb Mar 3, 2019

@ansibot ansibot added support:core test and removed owner_pr labels Mar 3, 2019

@felixfontein felixfontein force-pushed the felixfontein:acme-ip-support branch 2 times, most recently from f75e6c4 to 88701e8 Mar 5, 2019

@bcoca bcoca removed the needs_triage label Mar 5, 2019

@felixfontein felixfontein force-pushed the felixfontein:acme-ip-support branch 2 times, most recently from 03377de to 9e549d1 Mar 10, 2019

@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 10, 2019

@Shaps I've been trying to use IP:xxx SANs today with openssl_csr and found some problems (with the cryptography backend); I've fixed them locally here in 7842b7d and 9e549d1. Since I don't know if you already moved that code around, I'll keep them here and create a PR once your PR is merged. (Of course you can also already include them. Whatever you want.)

@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 10, 2019

I managed to issue a certificate for 127.0.0.1 with felixfontein/ansible-acme-test#1!

@felixfontein felixfontein referenced this pull request Mar 10, 2019

Open

Support IP address identifiers #161

0 of 8 tasks complete
@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 10, 2019

I've now also managed to get a certificate for ::1, and one for 127.0.0.1 with tls-alpn-01 validation. That required some more changes because this suddenly has two names to handle: one (the ARPA RDNS of the IP) for the Host header to look for, and one (the IP address itself) to put into the challenge certificate.

@felixfontein felixfontein force-pushed the felixfontein:acme-ip-support branch 2 times, most recently from a821f77 to 59270e3 Mar 11, 2019

@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 11, 2019

I moved the changes to acme_certificate / module_utils/acme into #53660, and the changes to acme_challenge_cert_helper to #53661. The openssl_csr changes will be moved to the real module later. Tests will be added once letsencrypt/pebble#221 is merged.

Remove DirName support, which doesn't work as this and seems harder t…
…o fix. Also, I don't know of an example of how it actually works.

@felixfontein felixfontein force-pushed the felixfontein:acme-ip-support branch from 59270e3 to 790ddd3 Mar 13, 2019

@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 13, 2019

The main PRs have been merged; this now only contains fixes for openssl_csr.

@felixfontein

This comment has been minimized.

Copy link
Contributor Author

felixfontein commented Mar 17, 2019

Closing since now everything is either merged or has its own PR. The next PR will show up once letsencrypt/pebble#221 has been merged, to add tests :)

@felixfontein felixfontein deleted the felixfontein:acme-ip-support branch Mar 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.