From mirageos-devel-bounces@lists.xenproject.org Mon Sep 14 00:30:06 2020 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Mon, 14 Sep 2020 00:30:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kHcNP-000110-Do; Mon, 14 Sep 2020 00:29:47 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kHcNO-00010v-6r for mirageos-devel@lists.xenproject.org; Mon, 14 Sep 2020 00:29:46 +0000 X-Inumbo-ID: 668df43d-6eab-4d21-a893-06dbd3b6af67 Received: from relay8-d.mail.gandi.net (unknown [217.70.183.201]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 668df43d-6eab-4d21-a893-06dbd3b6af67; Mon, 14 Sep 2020 00:29:34 +0000 (UTC) X-Originating-IP: 99.203.142.93 Received: from [10.137.0.16] (ip-99-203-142-93.pools.cgn.spcsdns.net [99.203.142.93]) (Authenticated sender: guybrush@somerandomidiot.com) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id BFEDA1BF204 for ; Mon, 14 Sep 2020 00:29:32 +0000 (UTC) To: mirageos-devel@lists.xenproject.org From: Mindy Preston Subject: status of Let's Encrypt for MirageOS webservers? Message-ID: <2ac3274d-37b7-1044-b51a-47c6037f7ec6@somerandomidiot.com> Date: Sun, 13 Sep 2020 19:29:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: mirageos-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Developer list for MirageOS List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: mirageos-devel-bounces@lists.xenproject.org Sender: "MirageOS-devel" Hi all, Certificate renewal time has come and gone once again, leading me to wonder whether there's a convenient way to use Let's Encrypt for my MirageOS webserver (based heavily on mirage-www) yet. So... is there? -Mindy From mirageos-devel-bounces@lists.xenproject.org Mon Sep 14 08:16:08 2020 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Mon, 14 Sep 2020 08:16:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kHjeS-0000Of-Jy; Mon, 14 Sep 2020 08:15:52 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kHjeQ-0000Oa-Gc for mirageos-devel@lists.xenproject.org; Mon, 14 Sep 2020 08:15:50 +0000 X-Inumbo-ID: b5505729-f772-48b2-9d6f-6274d380b92e Received: from mail.mehnert.org (unknown [213.73.89.200]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id b5505729-f772-48b2-9d6f-6274d380b92e; Mon, 14 Sep 2020 08:15:38 +0000 (UTC) Received: from [192.168.42.80] (dslb-188-102-131-142.188.102.pools.vodafone-ip.de [188.102.131.142]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "hannes@mehnert.org", Issuer "mehnert root CA" (not verified)) by mail.mehnert.org (Postfix) with ESMTPS id 94BF5160B5 for ; Mon, 14 Sep 2020 09:55:48 +0200 (CEST) To: mirageos-devel@lists.xenproject.org References: <2ac3274d-37b7-1044-b51a-47c6037f7ec6@somerandomidiot.com> From: Hannes Mehnert Subject: Re: status of Let's Encrypt for MirageOS webservers? Message-ID: <11714ac1-eb8c-ea8a-506f-4c0dc49cd89c@mehnert.org> Date: Mon, 14 Sep 2020 09:55:39 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <2ac3274d-37b7-1044-b51a-47c6037f7ec6@somerandomidiot.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: mirageos-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Developer list for MirageOS List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: mirageos-devel-bounces@lists.xenproject.org Sender: "MirageOS-devel" Hi, On 14/09/2020 02:29, Mindy Preston wrote: > Certificate renewal time has come and gone once again, leading me to > wonder whether there's a convenient way to use Let's Encrypt for my > MirageOS webserver (based heavily on mirage-www) yet.> > So... is there? Apart from using authoritative DNS servers (https://hannes.nqsb.io/Posts/DnsServer#Let-39-s-encrypt), I recommend to look into the unipi snippet which uses "the ALPN challenge" (i.e. nothing apart from the webserver needed): https://github.com/roburio/unipi/blob/101860be01b965bd1a40aa92beb5c24e9117ea98/unikernel.ml#L146-L272 Upside: no further systems are involved, renews certificate every 80 days Downside: doesn't persist certificate -> on each reboot of your unikernel, a LE certificate will be requested (I so far didn't find time to experiment with block devices (file systems?) for storing the certificate temporarily, still on my TODO list somewhere) Best, hannes