id summary reporter owner description type status priority milestone component resolution keywords cc 419 SSL certificate automation and Let’s Encrypt integration andersk "We would like to be able to accept certificates from [https://letsencrypt.org/ Let’s Encrypt]. Unfortunately, because Let’s Encrypt issues certificates with a 90 day lifetime, this would significantly increase our regular maintenance burden. So we need to develop some kind of automation before allowing this: 1. '''CSR generation.''' Leaving this as a manual process is probably acceptable for now, since it only needs to happen once per host: CSRs are reusable as long as the key doesn’t change. Automating CSRs is the topic of #241. 2. '''Interface for the user to provide certificates.''' The user could upload or paste their certificate into Pony which would store it into the vhost’s LDAP record. It would be good to have a token-based API to let the user automate this without client certificates. 3. '''Validation of provided certificates.''' This is necessary because an invalid certificate can cause Apache to fail to start (although that’s less of an issue with #52). It would also be nice to warn the user about common errors like incomplete or misordered chains. 4. '''Making Apache use the certificates.''' An ideal solution is #52, but that requires some nontrivial Apache development. Until then, we could write a daily cronjob to copy out the certificates and reload Apache. In fact, the cronjob might as well reify the vhost configurations too, so that we can ditch all the per-site configuration in svn. 5. '''Helping users automate Let’s Encrypt renewals.''' This might take the form of a script for the user to serve at .well-known/acme-challenge and a line to for the user to add to their crontab. See also [https://help.mit.edu/Ticket/Display.html?id=3519679 help.mit.edu #3519679]. An alternative idea mentioned there is storing certificates as files in the corresponding lockers rather than in LDAP; however, this would make it impossible for the user to get feedback from validation, and would conflict with #52." enhancement new major pony