Ask for domain and get valid HTTPS certificate with lets encrypt

[iShift]

If manager can ask domain for server (and if user have one) you can get valid https certificate. Also many hosting providers give they own domain for server based on ip something like ip.youhoster.com. If we can have valid https certificate we can make web version of outline manager!

[fortuna]

This is a great idea, and it would enable a web-based Manager (https://github.com/Jigsaw-Code/outline-apps/issues/1871)

We'll add this to our backlog.

[fakoor]

The integration of LE certificate may be more important than what we think (depends on the answers to this question):

• Is there any validation mechanism in place regarding the certificates?:
• Can the client side identify which certificate is an authentic certificate created by the specific outline server?
• Can a middle service provider use a crafted self-signed certificate to intercept client connection attempts and find out that the target endpoint is an outline server? (e.g by installing an outline server and scraping the certificate)?
• Could the 100-year validity period for the certificate give a hint to those who try to identify the traffic type and bock them? (a scanning station that lists all endpoints with 100 year certificate validity).

[bemasc]

Is there any validation mechanism in place regarding the certificates?

Yes: see our custom fetch logic here.

Can the client side identify which certificate is an authentic certificate created by the specific outline server?

Yes: see e.g. here for DigitalOcean servers.

Fingerprinting and probing vulnerabilities are a concern. Probing vulnerabilities, however, are potentially mitigated by the use of random port numbers.