-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let's encrypt! #281
Let's encrypt! #281
Conversation
Ok, this works for the remote and local names at this point. A couple things need to happen once this is merged,
|
@@ -45,13 +45,10 @@ pub struct FoxBox { | |||
profile_service: Arc<ProfileService>, | |||
} | |||
|
|||
const DEFAULT_HOSTNAME: &'static str = "::"; // ipv6 default. | |||
const DEFAULT_DOMAIN: &'static str = ".local"; | |||
|
|||
impl FoxBox { | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uber-nit: let's take the chance and remove this extra line.
} | ||
} | ||
} else { | ||
info!("Unable to send request to {}", self.registration_endpoint); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto
As usual, this is an excellent work, Sam :) I tested the patch locally and it works. In general, the code looks good to me. I only added a bunch of comments about minor stuff. It would be great if you could improve the documentation. The process is a bit complex and it's hard to get it just by reading the code. Thanks for working on this! I'm CCing @fabricedesre and @michielbdejong in case that they also want to take a look. |
- Include the scheme in the message posted to the registration server - Generates LetsEncrypt certificate for the local domain on the fly - Use a DnsRecord to decribe the entry to the DNS server - Each box has a preset name that a self-signed certificate is created for. This is then used as the identifier for that box, and is used in the creation of names that can be added to a SAN cert - Register the remote tunnel name using the certificate fingerprint - Fix the command line arguments to include the dns-api endpoint option - Don't parameterise the CertificateManager by type implementation, instead use a Box (fat pointer) to an SslContextProvider - Refactor registrar
Rebased and squashed! |
Needs some tests + cleanup before landing - this is a first pass.
If you try this, the box needs to be restarted and then you'll have the cert loaded, it can be done on the fly, it just doesn't work right now.