-
Notifications
You must be signed in to change notification settings - Fork 432
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for ACME verifications on ip addresses #410
Comments
I also have a need for this, as we'll often be authenticating Caddy instances by their IP address - for internal/admin use only, so it's something we need signed by our own CA and not a public CA. |
@mquinnatlasroofingcom Can you share how you did this with a template? |
I had a back and forth with one of the Smallstep developers on their community forum thing. It's on there up around the time that I submitted this feature request. Bottom line though, it doesn't make any sense to do it that way since the certificate will not do an ACME verification on the ip address, only on the hostname. As a result, you lose all the security that ACME offers. I wound up creating a modified version of their ACME provisioner that accepts and does verification of SANs of IP address type. You'll want to have a look at the RFC for guidance on what to do. There were only a handful of changes that I had to make to enable this. It's been a while and I don't really remember them all. Check out the source code in acme/order.go, the finalize function is a good place to start. You'll probably have to mess around with your ACME client too in order to get it to make CSRs with ip address type SANs. |
Thanks, @mquinnatlasroofingcom! |
@mquinnatlasroofingcom Is this something you'd be able to make a pull request for? @dopey Do you know if you'd be able to accept such a PR (or when this might be on the roadmap for)? |
This is still on the roadmap along with external account binding. It's on our short term roadmap but our roadmap is also constantly in flux #startupthings. We'd definitely be interested in taking a look at the PR. And as @mquinnatlasroofingcom mentioned, we'll need accompanying integration from the cli side (although maybe not right away). @mholt we've actually just done a complete rework of our ACME backend (it's still in a PR but will probably be merged this week). Very minor change for you if caddy wants to integrate with latest (just changing the name of a few types). |
Oh, awesome -- yeah, would be happy to use the latest and greatest! 🙂 |
Does this PR include support for https://tools.ietf.org/html/rfc8738? Can we take a look at the PR? :) |
Hey @jack4it the PR I was referencing was actually merged a few weeks back (#496). It was a rewrite of the ACME backend that will allow for hooking in a SQL db - so not directly related to the RFC you're asking about. Support for this issue (IP verification) is still on the roadmap. We want to support it yesterday, we're just short on resources :] |
I can look by myself, but is there an established process/guideline that we can help? :) would be happy to contribute @dopey |
Yea! Help would be much appreciated. I'd be happy to schedule some time to give you a quick tour of the codebase with particular attention to the section where the IP verification code should/would be implemented. My email is max@smallstep.com - shoot me an email. That said, it sounds like @mquinnatlasroofingcom may already have a working implementation. That would probably be a really useful place to start. |
Started working on this. The http-01 challenge flow seems to work with Caddy as the client now, but have to improve on compliance with the RFC as well as tls-alpn-01. (somewhat shortened) Step output:
Caddy output; configured to talk to the modified ACME provisioner:
|
That's awesome - great progress! |
@hslatman Is this something you could make a PR for while you finish it up so reviews could begin? |
@mholt My plan is to have the PR ready within 24 hours. |
The PR is here: #602. Got a couple of tests to fix and have to add some for the the IP type of identifier. There are also some improvements that I'd like to do soon. So far I've tested with a small tool I wrote based on acmez as well as with Caddy. Both HTTP-01 and TLS-ALPN-01 work with my tool. Caddy is not able to solve the TLS-ALPN-01 challenge for an IP identifier, because it looks for the IP (i.e. 127.0.0.1) in its challenge store based on the ClientHello ServerName. The RFC states that IPs should be their ARPA address in the ServerName (i.e. 1.0.0.127.in-addr.arpa), which is what I implemented. Not doing this conversion will result in an empty identifier on the Caddy side, which might be due to how Go processes the ServerName. Reversing the ARPA to the IP as the identifier to use in the lookup OR storing the ARPA in the lookup are fixes for that issue and have verified that in a quick local POC. |
That's true; are you saying that the ServerName comes in the form
What do you mean by this exactly? |
Indeed, for IP identifiers the ServerName should be formatted as its ARPA representation. At least, that's what I concluded from the RFC and it made sense to me for the server -> client direction. I have a potential fix for Caddy that first checks if the ServerName suffix is
Sorry, my explanation was a bit terse. I meant to say that, in case step-ca doesn't format the IP as its ARPA representation, the ServerName on the Caddy side will be empty. I think that's due to how Go handles the field, but I haven't investigated that further yet. Caddy logs it like this:
While having it formatted as ARPA looks like this:
|
Ahh gotcha. That makes more sense, thank you. I would happily accept a PR! I also think the latter option would be cleaner. What's the diff on the first option though? (feel free to discuss in caddyserver/certmagic#133) |
What would you like to be added
There is a extension to ACME to allow it to verify ip addresses.
The extension is:
https://tools.ietf.org/html/rfc8738
Why this is needed
This isn't something that Let's Encrypt will ever do but for locally hosted ACME provisioners it would be useful to get rid of certificate errors for sites when accessed via their local ip address. In our organization, we have very little standardization of hostnames (mostly due to acquisitions of other companies and systems) so often we just remember the IPs.
It's currently possible to use templates to force an ACME provisioner to sign any IP address that is passed to it but it will not perform any challenge. This defeats the security of ACME.
The text was updated successfully, but these errors were encountered: