HN Gopher Feed (2017-10-17) - page 1 of 10 ___________________________________________________________________
ACME Support in Apache HTTP Server Project
140 points by jaas
https://letsencrypt.org/2017/10/17/acme-support-in-apache-httpd....he-httpd.html___________________________________________________________________
thresh - 1 hours ago
Are there any other CAs that support ACME?Is ACME an Internet
standard yet?Is that turning into monoculture?
jpb0104 - 4 hours ago
This is awesome. We're having early success with
https://github.com/GUI/lua-resty-auto-ssl + https://openresty.org/
to support thousands of custom domains.
Ajedi32 - 5 hours ago
This is going to be huge for HTTPS adoption on the web. In the
future all web servers should have this feature.I wonder which will
be next? IIS? Nginx?
subway - 1 hours ago
Nginx already has this via OpenResty and a script:
https://github.com/GUI/lua-resty-auto-ssl
NicoJuicy - 19 minutes ago
IIS has support through a powershell script
icebraining - 5 hours ago
Klaus Krapfenbauer, a participant of Mozilla Winter Of Security,
already implemented a PoC module for Nginx:
https://github.com/mozilla/mwos-letsencrypt-2015Unfortunately, it
seems to be very dead.
apple4ever - 2 hours ago
That sucks. Besides the dumb low cert expiration length, built
in support for Nginx is why I haven't adopted Let's Encrypt.
dtzur - 27 minutes ago
Now if they could only catch that Road Runner!
lol768 - 6 hours ago
I'm curious, which email does it use to register with? I didn't see
one in the config file.
Ajedi32 - 5 hours ago
[It uses the value of the global ServerAdmin setting][1]:> There
are 2 additional settings that are necessary for a Managed
Domain: ServerAdmin and MDCertificateAgreement. The mail address
of ServerAdmin is used to register at the CA (Let's Encrypt by
default). The CA may use it to notify you about changes in its
service or status of your certificates.[1]:
https://httpd.apache.org/docs/trunk/mod/mod_md.html#managedd...
jaas - 6 hours ago
Supplying an email address to Let's Encrypt is optional.
tialaramex - 5 hours ago
... but if you don't supply one of course Let's Encrypt won't
notify you about anything.So if you aren't paying attention you
may get blind-sided by any future change, particularly if your
use case is weird e.g. you can only pass http-01 by HTTP 301
redirecting to a machine with a completely different hostname,
works today, could get outlawed as dangerous one day and they'd
have the records to show you're going to be affected, but no
way to automatically warn you.
mholt - 5 hours ago
I recommend always monitoring server logs as a last line of
defense (or first, honestly) for these kinds of things.
Ajedi32 - 5 hours ago
Do Apache's server logs notify you if your cert is about to
expire, but hasn't yet?
mholt - 5 hours ago
I doubt it does in general, but mod_md does have a pretty
chatty log if you enable it. Haven't tested this
specifically, but I assume it prints something around
renewal time.
majewsky - 4 hours ago
Expiration dates on your TLS certs is usually something
that you want to monitor and alert on anyway. I'd
actually build the monitoring separately from the renewal
process, just in case that the renewal process doesn't
notice that it fails.
DonbunEf7 - 3 hours ago
As a good first step, it's easy to configure the Prometheus
blackbox exporter (or your TLS-supporting blackbox scraper of
choice) to report the TLS cert expiry date; I have an alert
which pages me if a TLS cert will expire in a week or sooner
based on this.
throwaway0071 - 4 hours ago
This is why I think projects like caddy/traefik shouldn't get too
comfortable thinking Let's Encrypt / HTTPS support by default alone
is going to differentiate them too much. They're one PR away from
having their major selling point becoming irrelevant in the face of
the competition.https://news.ycombinator.com/item?id=15433463
rhencke - 3 hours ago
Where do you see evidence of projects like Caddy getting too
comfortable thinking Let's Encrypt/HTTPS support by default alone
is going to differentiate them?
hannob - 2 hours ago
Caddy is written in a memsafe language.(I don't use caddy, but I
always saw the "HTTPS by default" thing more as a nice thing to
have, but not hugely important given that you can have the same
with external scripts in apache or nginx. But being memsafe is
the real distinguisher and one that certainly isn't reachable
with a pull req in apache or nginx.)
mholt - 3 hours ago
What? They're not even comparable. Here are distinct advantages
of all three as I see them:- Traefik has cross-platform, highly
dynamic proxying- Apache has such widespread use and market
saturation- Caddy is the only server, even in the face of mod_md,
to have fully automatic HTTPS by defaultThe thread you linked to
has nothing to do with any of this, except that it links to this
comment by myself, which preempts your claim:
https://news.ycombinator.com/item?id=15433788
throwaway0071 - 3 hours ago
They are absolutely comparable and the advantages each one have
don't exclude the others from attaining the same
features.Traefik cross-platform? All others are. Highly
dynamic. What does that even mean? All are "dynamic".Apache has
widespread use and market saturation... how's that the single
advantage it has? It's been evolving a lot.Caddy is the only
server to have fully automatic HTTPS? How much longer mod_md
get that?I think you've missed all of my single point and kind
of confirm my fears.The link which I posted has everything to
do with this discussion. It's about Caddy thinking a bad
business plan will work because "caddy is the only server to
have fully automatic HTTPS by default".Last question, is Caddy
thinking of hiring a CEO or sales person? I think it should.
mholt - 3 hours ago
> Traefik cross-platform? All others are.Not true - (stable)
mod_md builds are not yet available for all platforms.> how's
that the single advantage it has?Where did I say it was the
"single advantage"?> Caddy is the only server to have fully
automatic HTTPS? How much longer mod_md get that?You forgot
"by default" -- and probably never, not on Apache's main
release tree. Or at least not for a long time.> I think
you've missed all of my single point and kind of confirm my
fears.Why are you afraid? What are you afraid of? This is
literally the epitome of spreading FUD.
throwaway0071 - 2 hours ago
> mod_md builds are not yet available for all platforms.Do
you have reason to believe they won't be? Are you betting
your business on the failure of Apache to do basic release
engineering?> Where did I say it was the "single
advantage"?That's fair. Because you listed it then I think
that's the "major" advantage. Is that right?> ou forgot "by
default" -- and probably never, not on Apache's main
release tree. Or at least not for a long time.Why? Let's
Encrypt and HTTPS by default being something that a lot of
people want, why do you think Apache will ignore that and
not include mod_md in Apache "for a long time"?Competition
is good. I don't have major reasons to be afraid but I
would like Caddy/Traefik and others to succeed. From the
very basic mistakes they're making in coming up with a
business plan, I don't think they will. And no, being open
source alone is not reason enough to ensure project
survival.If you re-read your own comment, I think you're
the one spreading FUD about those other projects (and their
implied inability to outpace Caddy).
Touche - 2 hours ago
Because those projects are very conservative about making
things default. Apache famously has (had now?) bad
defaults that no one should use, just for compatibility
reasons.Keep in mind that caddy is not only https by
default, it's HTTP/2 by default as well. How long until
that is by default in Apache?And I don't think those are
even the killer features of Caddy. They are the things
that drive people in, but the real killer feature is how
easy it is to configure.
tannhaeuser - 2 hours ago
Don't know where you get that idea from. The reference
implementation for letsencrypt has always been (a Python-based
collection of scripts with auto-config, auto-update etc) for
Apache httpd. A native Apache module for ACME has been proposed
for some time now, and is great because the reference
implementation is quite a bit too rich to run as root (and is
Python 2 only I believe).
cholmon - 5 hours ago
I'm curious how renewals will be handled. According to
https://github.com/icing/mod_md/wiki#no-auto-restart-when-
st..."...you have to manually restart httpd for any certificate
changes to take effect."It's easy enough to have a daily cronjob
that just reloads Apache unconditionally, but that feels dirty.
ridruejo - 4 hours ago
Apache supports graceful restarts, in which new children
processes are spawned and old ones replaced without dropping
existing connections
jldugger - 4 hours ago
This doesn't affect certain portions of Apache, like the part
that handles TLS.
ridruejo - 4 hours ago
Recent versions of Apache (2.4.x) do support it
jldugger - 4 hours ago
Ah, guess I should review the documentation more
frequently.
baby - 6 minutes ago
Service apache2 reload
Ajedi32 - 4 hours ago
Huh, that's a rather interesting limitation. I guess internally
mod_md must be changing the configuration of the server with
every renewal? Otherwise I'm not sure why a restart would be
needed; the server should just start using the new cert for new
connections.
jimminy - 5 hours ago
The same thing is required of nginx.I personally have a cron
script set up on my domain gateway to update certificates once a
month and reload nginx, at the end. Total unavailability is about
.5 sec once a month.
askz - 4 hours ago
Reload process in nginx isn't graceful?
gtirloni - 4 hours ago
It certainly
is.http://nginx.org/en/docs/beginners_guide.html#control
jimminy - 4 hours ago
It is. I hadn't even looked into it, because I set the job to
off hours and the domains have low enough volume even a non-
graceful reload wouldn't effect anything.Thanks for asking,
because now I know. I was just assuming the same lag I see in
the CLI.
baby - 5 minutes ago
About the elephant in the room: Let?s Encrypt is becoming too big
to fail. Wasn?t the point of open sourcing the whole protocol so
that we could have multiple CAs like Lets Encrypt?