Project

General

Profile

Enhancement #676

Use Let's Encrypt for more public services

Added by Marc Dequènes 3 months ago. Updated 2 months ago.

Status:
In Progress
Priority:
Normal
Category:
Service :: IS / AAA / PKI
Start date:
2019-09-20
Due date:
% Done:

40%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Now that we have the DNS challenge method in place for SMTP we could make it more generic in a dedicated role and use it for other non-web services.

Also I think using a DNS update key per host would be more secure.

Associated revisions

Revision aad6a48e (diff)
Added by Marc Dequènes 2 months ago

pki: use LE CNAME resolution feature

requires patched LE

refs #676

History

#1

Updated by Marc Dequènes 3 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

We have a role for the DNS challenge setting and run. It is now used for SMTP services.

Each host now had its own key.

It would be nice if we could force the LE nsupdate to use the _kage subdomain and use CNAMEs like we do for TLSA to avoid having to create a forest of subdomains.

#2

Updated by Marc Dequènes 3 months ago

  • Status changed from In Progress to Blocked
  • % Done changed from 20 to 30
Using CNAMES is coming:

Seems people are enthusiast about the PR, so let's wait before migrating more certs.

#3

Updated by Marc Dequènes 2 months ago

  • Status changed from Blocked to In Progress
  • % Done changed from 30 to 40

I backported recent LE packages and applied the patch; only a minor problem affecting the tests was worked around (see message in the PR).
I tested these packages for smtp.hq.duckcorp.org successfully, and a web cert too for regression,and then decided to go along.
The packages are now uploaded in our repo and I was able to tests other renewals with success.

Also available in: Atom PDF