Skip to content

relay: no support for wildcard certs #1108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Arqu opened this issue Jun 14, 2023 · 3 comments · Fixed by #2999
Closed

relay: no support for wildcard certs #1108

Arqu opened this issue Jun 14, 2023 · 3 comments · Fixed by #2999
Assignees
@Arqu
Labels
c-iroh-relay feat New feature or request
Milestone
v0.30.0

Comments

@Arqu
Copy link
Collaborator

Arqu commented Jun 14, 2023

The current implementation of derper does not support wildcard certs.
This describes the possible challenge methods and which are compatible with *.domain.tld certificates.
@Arqu Arqu added this to iroh Jun 14, 2023
@github-project-automation github-project-automation bot moved this to 📋 Backlog - unassigned issues in iroh Jun 14, 2023
@dignifiedquire
Copy link
Contributor

Manual certificate mode is available as workaround for now.

@dignifiedquire dignifiedquire added feat New feature or request c-iroh-relay labels Jun 28, 2023
@Arqu
Copy link
Collaborator Author

Arqu commented Oct 10, 2024

This is still active, we only do the TLS-ALPN-01 challenge

@divagant-martian divagant-martian changed the title derper: no support for wildcard certs relay: no support for wildcard certs Oct 10, 2024
@Arqu
Copy link
Collaborator Author

Arqu commented Nov 18, 2024

Making sure the issue is up to date:
This basically boils down to it not being worth supporting the DNS challenge directly and writing whatever number of integrations with DNS providers. The solution is to write a custom cert resolver that just hot-reloads the cert every day and putting certbot in front with the right DNS config to handle the renewals.

@Arqu Arqu self-assigned this Nov 18, 2024
@Arqu Arqu moved this from 📋 Backlog to 🏗 In progress in iroh Nov 18, 2024
@Arqu Arqu added this to the v0.29.0 milestone Nov 18, 2024
@dignifiedquire dignifiedquire modified the milestones: v0.29.0, v0.30.0 Nov 28, 2024
@Arqu Arqu mentioned this issue Dec 3, 2024
Merged
4 tasks
github-merge-queue bot pushed a commit that referenced this issue Dec 12, 2024
@Arqu
feat(relay): reloading certificate resolver (#2999)
c37895b 
## Description

This sets us up so we can have manually/externally managed certs that
will reload on a daily basis. This should close
#1108 and we should follow up
on the ops side to utilize this where needed.

Ok, this turned out to be much grosser than expected. 
- I don't like the new dependencies we introduce
- I don't like the loader setup
- I'm unsure whether to keep the reloading resolver in the `iroh` repo
or move it into `tokio-rustls-acme` (think it should move over, but for
the sake of this discussion, included it here)
- Should I do anything with the `_handle` for the reloader in regards to
shutting down?

Most of this still feels necessary. I could maybe feature flag it?
I had a really hard time trying to extract the loader creation into a
standalone func which also aligns all the traits and error types so the
thing compiles.

Suggestions are welcome :)

Example config:
```
enable_relay = true
http_bind_addr = "[::]:80"
enable_stun = true
stun_bind_addr = "[::]:3478"
enable_metrics = true
metrics_addr = "127.0.0.1:9090"

[tls]
manual_cert_path="certificate.der"
manual_key_path="private_key.der"
cert_mode = "Reloading"
```

## Breaking Changes

<!-- Optional, if there are any breaking changes document them,
including how to migrate older code. -->

## Notes & open questions

<!-- Any notes, remarks or open questions you have to make about the PR.
-->

## Change checklist

- [ ] Self-review.
- [ ] Documentation updates following the [style
guide](https://rust-lang.github.io/rfcs/1574-more-api-documentation-conventions.html#appendix-a-full-conventions-text),
if relevant.
- [ ] Tests if relevant.
- [ ] All breaking changes documented.
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in iroh Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Arqu Arqu

Labels
c-iroh-relay feat New feature or request
Projects
iroh
Archived in project
Milestone
v0.30.0
Development

Successfully merging a pull request may close this issue.

feat(relay): reloading certificate resolver n0-computer/iroh
2 participants
@dignifiedquire @Arqu