fullmoon icon indicating copy to clipboard operation
fullmoon copied to clipboard
verified publisher icon pkulchenko

[Feature Request] To add automatic letsencrypt DNS-01 challenge just like caddy web server

Open diyism opened this issue 2 years ago • 4 comments

The biggest selling point of caddy web server is the automatic letsencrypt DNS-01 challenge, the configuration of Caddyfile is very simple:

{
    servers {
        protocols h3
    }
    acme_dns cloudflare <api token>
}

:443, mysite.com:443 {
  respond / "Hello, world!"
  
}

So I'm expecting this in fullmoon.

diyism avatar Nov 25 '23 04:11 diyism

I've definitely considered this, but it's likely that HTTP-01 challenge is implemented first (https://letsencrypt.org/docs/challenge-types/). Things are not going to be simple for a couple of reasons: (1) if you look at Caddy's implementation of the cert management, there is a lot of things that need to be handled (with some of them implemented by other libraries, which are not going to be available here), and (2) some of the crypto methods needed to generate certificate-signing-request, signing requests, and a couple of other things (well described here: https://github.com/alexpeattie/letsencrypt-fromscratch#d-option-2-completing-the-dns-01-challenge) need to be added to redbean to allow them to be used from fullmoon.

pkulchenko avatar Nov 25 '23 06:11 pkulchenko

I found a lua repo that support http-01: https://github.com/fffonion/lua-resty-acme

diyism avatar Nov 25 '23 07:11 diyism

Yes, but it depends on lua-resty-openssl, which in turn depends on both Lua JIT/FFI (not supported in redbean) and openssl library (not available in redbean either, which is using MbedTLS). It's still useful to have, as it implements the actual packaging. request/response, and the challenge logic, but the underlying crypto methods it uses, still need to be implemented in redbean.

pkulchenko avatar Nov 25 '23 08:11 pkulchenko

Here is the list of openssl calls from ACME.pm that shows relevant OpenSSL function that may need to be implemented using MbedTLS:

capturex('openssl', ('genrsa', '-out', $_, KEY_SIZE));
capturex('openssl', ('rsa', '-text', '-in', $self->{domain}{account}, '-noout', '-modulus'));
capturex('openssl', ('rsa', '-in', $self->{domain}{account}, '-pubout')));
capturex('openssl', ('dgst', '-sha256', '-binary', '-sign', $self->{domain}{account}, $stf->filename))
capturex('openssl', ('req', '-new', '-outform', 'DER', '-key', $self->{domain}{key}, '-config', $oct->filename, '-out', $self->{req}{csr}));

pkulchenko avatar Nov 26 '23 04:11 pkulchenko