Compliance with Let's Encrypt Integration Guide #71
Comments
|
Thank you for taking the time to review how ACMEd works and review it against Let's Encrypt's integration guide. I agree with you about the "when to renew" and "retrying failures" parts, there is space for improvement here. However, I planned to do so after rewriting a large part of ACMEd. The current thread-based model has serious drawbacks and I am planning to completely rewrite it using async, which is much more suited for this job. I currently have little time for that, but I might have more in a few months, so it might take some time. On the other side, I disagree with you about the "one account or many?" for two reasons:
That said, the README part about using a different account for each endpoint will be dropped with the async rewrite and I guess it wouldn't hurt to replace it with something like "please check your CA policy on this point". |
That sounds like a good plan. Going through the codebase, I was thinking quite a few times that an async approach would make a few things, especially around retrying and renewal timing quite a bit easier.
Would you be interested in contributions for that async rewrite? As it's going to affect nearly the whole code-base, I can absolutely understand it if not, but I'd be interested to at least take a look how much work it would be.
Fair enough, I'm evaluating
As someone who is deploying thousands of certificates with ACME: a service restart is not a blocker here, as we also deal with thousands of servers at the same time. Each acme client only ever deals with one certificate anyway in this scenario.
ACK
Yep, that sounds good. |
|
Hey @breard-r, coming back to this, I've split off the two problems regarding scheduling that you agreed on and have clarified the bit about multiple accounts, so I think this issue here can be closed, as there's dedicated issues for #74 and #75 now. The interest here is coming from @famedly. We (that's my colleague @lukaslihotzki and me) are currently looking for a new ACME client, and are willing to invest some time into helping Specifically what we'd like to do is working on getting I do understand that you can't allocate large amounts of time to this project though, so if this is all a bit overwhelming and you can't (or don't want to) include our changes right now, we can also fork Last but not least: I'm closing this issue, as all boxes in the description are either checked or split out into separate issues. |
Thant's a good idea, thank you!
Thank you very much, I really appreciate your help and interest 🙂 It's been a while since I made some real changes and improvements to ACMEd, I mostly idled while conceptualizing what I wanted to do. Lack of time and motivation mostly explain this state. As you guessed, I would like, in a first time, to start this big async rewrite myself since I been thinking on how to do it for quite a while now and I have a good idea of what I would like to do about it. |
|
I just realized I haven't replied back at the end of January, even though I wanted to... I've seen that the async rewrite has happened, congrats! With regards to us contributing, it probably makes sense to look into #77 before we start on #75, so that the backoff stuff can be persisted across restarts. #74 should be possible to handle without persisting state though, so maybe that's something we can start on earlier (and honestly, it's the more important one for us anyway). All of that of course is assuming that in general contributions in these three issues are welcome if we stick to the guidelines laid out in the contribution guidelines? Last but not least: What do you think about a chatroom for less forum and more ad-hoc development communication/coordination? I've had great experiences using Matrix for that kind of stuff. |
Thanx ! I must point out that I haven't swiched the http part to async yet, however I'm working on it and it doesn't block some other work like #74
I fully agree with that. Furthermore, I should also implement async for the http part before any work on #75 should be done.
Yes of course. |
I'm ok with it. Currently I mostly uses IRC and XMPP, but I have a good image if Matrix. I'll have a look on how I can easily manage my identity across all those protocols. If I can easily set-up a matrix server with bridges to IRC and XMPP, I may switch to it. |
|
Going with libera.chat and the built-in matrix bridge might be an option? That would reduce the dependencies on self hosting matrix and bridges. https://matrix.to/#/#acmed:libera.chat or |
|
Well, I finally joined Matrix. You'll find me at |
Let's Encrypt has an integration guide for hosting providers and client software that's meant to be used with Let's Encrypt that has a few things that they want those users to implement, and most clients do fail to implement those in one way or another.
The integration guide is available over at https://letsencrypt.org/docs/integration-guide/. I'll try to summarize the requirements below, and whether
acmedis implementing it in a compliant way, if that requirement is applicable at all. I'll not add a checkmark iff there is a recommendation that is definitely applicable toacmedand whichacmeddoesn't apply properly.acmedto support multiple accounts, because different providers could require different key algorithms for example, the documentation could be improved here, to recommend sticking to a single account. Even worse than not recommending to use a single account though, theREADMEeven encourages using multiple accounts (at least when using multiple endpoints). Edit/Clarification: the recommendation from LE is just about larger hosting providers, and the recommendation from theREADMEis just about different endpoints, so my initial assessment here was off.acmedacmedprovides hooks for storing files and reusing them properly, so this is definitely okay. What Let's Encrypt says here is to not generate certificates in volatile environments such as short lived containers, which is not really applicable toacmed.acmedsupports all current challenge types, this is in good shape right now.acmed, as this depends more on the deployment than the acme client.acmedas well.acmeddoes right now is 3 weeks before the end of the expiration, so 21 days. This is not the only way that things could be improved here though: Especially if you're running very big deployments with thousands of certificates, you can reduce the cost for Let's Encrypt by spacing out the renewals randomly. My suggestions here would be to allow setting a range here, instead of a concrete value, and to take a random time between the start of the range and the end of the range for the renewal, so something like 35 days until expiry and 30 days until expiry, and then it chooses to do it at 33.78 days before expiry for example. With the current structure of howacmedhandles this though, it's not that easy to do this.acmedis pretty far off here (as far as I can tell, I'm not quite sure actually). As far as I can tell,acmedwill check each certificate for whether it needs renewal once per hour (at least that's the default) and not do any sort of exponential backoff. Some specific errors are also treated asrecoverable, which are then retried 20 times with 1s delay in between. Whether retrying recoverable errors in such quick succession is in line with what Let's Encrypt wants aside, the more important thing would be to implement some for of exponential backoff. Their suggested schedule is retrying after 1 minute, then 10 minutes, then 100 minutes and each subsequent retry after 1 day. I think it'd be in the spirit ofacmedto have this as something that's configurable per endpoint, with defaulting to the schedule suggested by Let's Encrypt.Summarizing:
acmedis already doing a lot of things right here, with the documentation on accounts being one thing that could be improved and scheduling of renewals and retrying failures being the other thing.The text was updated successfully, but these errors were encountered: