[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: status of Let's Encrypt for MirageOS webservers?

To: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
From: Mindy Preston <mindy@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Sep 2021 21:01:44 -0500
Delivery-date: Tue, 14 Sep 2021 02:02:08 +0000
List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On 9/14/20 2:55 AM, Hannes Mehnert wrote:

Hi,

On 14/09/2020 02:29, Mindy Preston wrote:

Certificate renewal time has come and gone once again, leading me to
wonder whether there's a convenient way to use Let's Encrypt for my
MirageOS webserver (based heavily on mirage-www) yet.>
So... is there?

Apart from using authoritative DNS servers
(https://hannes.nqsb.io/Posts/DnsServer#Let-39-s-encrypt), I recommend
to look into the unipi snippet which uses "the ALPN challenge" (i.e.
nothing apart from the webserver needed):

https://github.com/roburio/unipi/blob/101860be01b965bd1a40aa92beb5c24e9117ea98/unikernel.ml#L146-L272

Upside: no further systems are involved, renews certificate every 80 days
Downside: doesn't persist certificate -> on each reboot of your
unikernel, a LE certificate will be requested (I so far didn't find time
to experiment with block devices (file systems?) for storing the
certificate temporarily, still on my TODO list somewhere)

I was able to adapt this to a usable solution rather than paying for yetanother TLS certificate today. A very belated thank you!


Cheers,

Mindy

Next by Date: autumn retreat (November 8th - 14th)
Next by thread: autumn retreat (November 8th - 14th)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.