Use `lego` binary to handle HTTP-01 challenge #1763

accuser · 2025-03-14T08:37:17Z

Since #1753 the DNS-01 challenge is handled with the lego binary. HTTP-01 challenge can also now be handled with the lego binary.

Proposed changes:

Add core.http_address to config.
Add well-known HTTP server to incusd that is enabled when core.http_address is valid. This new server simply serves files from the .well-known subfolder of var root (i.e., /var/lib/incus).
When updating certificates using HTTP-01 challenge, call lego with the --http.port [port] --http.webroot [webroot] settings so that the challenge token is written to the file system folder [webroot]/.well-known/acme-challenge/ and available via http://[domain]:[port]/.well-known/acme-challenge/[token]

I have this as a PoC in a local branch, but want to sense check this approach first before submitting a PR @stgraber.

The text was updated successfully, but these errors were encountered:

stgraber · 2025-03-14T15:24:20Z

SO in general, we don't want Incus to have an HTTP listener, we only do HTTPS.

Can lego itself run the http server during validation?

accuser · 2025-03-14T16:01:04Z

It can - I'm just testing now. If this works, I'll submit a PR shortly.

accuser · 2025-03-14T16:34:13Z

I've just submitted PR #1770, now with no HTTP serving .well-known files. 😉

stgraber added this to the incus-6.11 milestone Mar 14, 2025

accuser mentioned this issue Mar 14, 2025

Use lego binary for http 01 challenge #1770

Merged

stgraber closed this as completed Mar 18, 2025

Provide feedback