Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
Dirk-Willem van Gulik <dirkx@webweaving.org> Sun, 15 January 2017 17:55 UTC
Return-Path: <dirkx@webweaving.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588681294E6 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 09:55:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.2
X-Spam-Level:
X-Spam-Status: No, score=-3.2 tagged_above=-999 required=5 tests=[RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOEFz6mfqpJb for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 09:55:29 -0800 (PST)
Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59786129640 for <acme@ietf.org>; Sun, 15 Jan 2017 09:55:29 -0800 (PST)
Received: from beeb.leiden.webweaving.org (5ED06D14.cm-7-1b.dynamic.ziggo.nl [94.208.109.20]) (authenticated bits=0) by weser.webweaving.org (8.15.2/8.15.2) with ESMTPSA id v0FHsA6F050661 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 15 Jan 2017 18:54:12 +0100 (CET) (envelope-from dirkx@webweaving.org)
X-Authentication-Warning: weser.webweaving.org: Host 5ED06D14.cm-7-1b.dynamic.ziggo.nl [94.208.109.20] claimed to be beeb.leiden.webweaving.org
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
In-Reply-To: <20170115173659.GA27033@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Sun, 15 Jan 2017 18:54:10 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <38DABE99-99B0-41BE-8D27-EC519C30D3AE@webweaving.org>
References: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org> <20170115140330.GA26429@LK-Perkele-V2.elisa-laajakaista.fi> <6AEBC4C9-FA1B-4672-AE58-15C165722B30@webweaving.org> <20170115142931.GB26429@LK-Perkele-V2.elisa-laajakaista.fi> <65DAC165-2700-4DA5-A492-28B1F2E60541@webweaving.org> <20170115150407.GA26702@LK-Perkele-V2.elisa-laajakaista.fi> <CD5EBC6C-456C-4A08-AE98-4166F2270E77@webweaving.org> <20170115173659.GA27033@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3259)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (weser.webweaving.org [148.251.234.232]); Sun, 15 Jan 2017 18:54:12 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SrmODS1nHiui_ST-3HlM18xj2q8>
Cc: acme@ietf.org
Subject: Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 17:55:30 -0000
> On 15 Jan 2017, at 18:36, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > On Sun, Jan 15, 2017 at 05:59:43PM +0100, Dirk-Willem van Gulik wrote: >> >> We have sufficient infrastructure for that in apache and its >> APR utility library. >> >> I am trying to understand enough of the considerations of ACME >> (such as the choise for the the ‘Authorized Ports’ list as defined >> in that CABForum BR) to help me make the right trade offs between >> a) bringing the webserver up in a relatively insecure fashion for >> a short period of time and getting the business of (re)new cert’s >> over as robustly as possible v.s. spinning up much more surface of >> things that can confuse -or- go wrong (including apache its normal >> devolved setuid()/chroot() post forking & opening the < 1024 sockets), >> are expensive to maintain or prone to abuse. > > There's also the fact that HTTP-01 will follow redirects to https:// > (just the initial request has to be http://), ignoring certificate > validity. > >> And secondly I am trying to come to grips with the advent of >> virtualisation & containerisation causing the concepts of virtual >> hosts to change; rather than have 10’s of thousands of VHOSTs in a >> single config/binary; all listening to all IP’s on port 80 - so common >> at the turn of the century - one now increasingly sees a lot of port >> mapping - where in effect each httpd runs ‘alone’, in a container, with >> a single vhost config - albeit on a funny port. > > The funny ports are because one can't get enough IPv4 address space > to give each container its own address? > >> Which may, or may not be, mapped to some IP:80 or through some LB/fan-out >> proxy that has a FQDN->internal IP & port table. Software defined >> networking seems to favour the latter. >> >> But the net effect is that that makes the listening on port 80 for a FQDN >> that is elsewhere configured to be visible on just a single IP:443 (mapped >> to -> internal-ip + high port) rather much out of reach. As a listen *:80 >> is no longer effective. Especially for the cohort of users for whom the >> scripting is already out of reach. > > Well, if the port 80 on the same external IP could be configured to serve > a redirect to https for validation requests (which is just a static > mapping per FQDN), then those requests would presumably be sent to the > container. > > That is, rule of form: http://foo.example/.well-known/acme-challenge/bar > -> https://foo.example/.well-known/acme-challenge/bar > > And the secondary requests also AFAIK have SNI on TLS level, so one can > route on that too. That is indeed the alternative — surmise that as the user (no matter how VM’s, containers, virtual load balancers or whatever is configured) will want to end up visible on port 443 with a cert — we focus on some blind http->https redirect which can be configured in bulk; and always bring up an TLS+SSL on 443 with a self signed cert if we do not yet have an acme cert (and using the same private key for thus). Dw.
- [Acme] Well Known CA->client poll on port 80/443 … Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Salz, Rich
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara