New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Planned updates and enhancements #214
Comments
My thoughts:
|
Thanks for your thoughts, Francis:
Yeah, or maybe configurable policies... simpler than a reverse proxy's, but, like: "first", "first_random", and "first_round_robin".
Ok, I'll look into that.
See below... An update
|
Yeah, the load balancing policy approach is a good idea 👍 I think |
Ok cool -- I've implemented this, and decided to skip "round_robin" for now, since I'm not sure what utility that really has, especially given that configs are short-lived/ephemeral. Just going to start simple for now. By default, the current behavior is the same: try each issuer in turn. You can configure "first random" which shuffles the list, then tries each issuer in turn. Since ARI is on hold, I'm going to close this issue and we can open a new one if the spec evolves or there is something actionable to do there. |
I just had an idea regarding ARI (probably not the best place to discuss about this, but I value your feedback), would it be imaginable to put the information about "renewal window" into the OCSP response? Since (according to Wikipedia) the OCSP responder is typically run by the certificate issuer, it could give the info if a renewal should occur soon. |
This has already been discussed: https://mailarchive.ietf.org/arch/msg/acme/b-RddSX8TdGYvO3f9c7Lzg6I2I4/ (sorry for the noise) |
It's alright, I appreciate careful thinking like that! |
New issue tracking ARI: #284 |
A few things that could use enhancing:
Issuer load balancing
CertMagic currently tries issuers in order to get a certificate, and later ones are only fallbacks. This is already more than most certificate automators do, but load balancing would be a useful option: still fall back if one is down, but first choose (randomly? round-robin?) from among the selection rather than always trying the first one first.
For renewals, CertMagic tries the same issuer as last time, if configured/present. But this could also be load-balanced.
Private key rotation
Currently, CertMagic reuses the private key when renewing a certificate. This is the expected behavior most of the time, but can be problematic if the key is compromised (without knowing; CertMagic will already replace a private key if a certificate is revoked with reason
keyCompromise
, but this seldom if ever happens in practice). If the key was compromised by unauthorized access to storage, for example, rotating the key will simply give the attacker the new key. If the compromise is known, the cert will typically be revoked.One argument is made against this: that the hole may be patched serendipitously, i.e. via felix culpa, such as applying a system upgrade or fixing an ACL. You didn't know a leak occurred but you fixed it anyway. In that case the cert would not be revoked, but it would still be useful to rotate the key.
Probably these days, CertMagic should use new keys for every cert rather than reusing keys.
ARI
ACME Renewal Information or ARI is an extension to ACME that hints at when to renew a certificate. I have mixed feelings on the utility of this extension, and I think it is unfortunate that it complicates already-complex infrastructure regarding revocation, which is broken anyway, and should be phased out in favor short-lived certificates instead.
Brief digression: If ARI tells you to renew early, the server may optionally include a URL which explains the reason. If the reason is impending revocation, then why continue to trust the certificate at all? If you know it will be revoked, the certificate might as well not be trusted. Or maybe the reason is to smooth out load; only respectful clients will do this anyway, and I don't know if it will help the stampeding herd problem that CAs sometimes face. But anyways...
We can support ARI to be a good Internet citizen.
The text was updated successfully, but these errors were encountered: