Skip to content

Commit

Permalink
small improvements, better order of sections
Browse files Browse the repository at this point in the history
  • Loading branch information
@mariuskimmina
mariuskimmina committed Apr 3, 2022
1 parent 0a593aa commit 827475d
Showing 1 changed file with 26 additions and 23 deletions.
49 changes: 26 additions & 23 deletions 20220403-ACME-TLS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,21 @@ Some parts here can already be automated easily, like Generating a private key a

And all of these steps can be automated

## How ACME works

ACME is a client-server protocl where the Server side is implemented by a Certificate Authority (CA) such as [Let's Encrypt][lets-encrypt] the client side is implemented by a service that wants to obtain a valid certificate, such as CoreDNS in this case. The client has to prove ownership of a domain before the CA can give out a certificate, to achieve that, one of the following challenges has to be completed:

### HTTP01 Challenge
This requires port 80.

CA gives the ACME client a token which puts a file on the server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. The file contains the token, plus a thumbprint of your account key. Once the client tells the CA that the file is ready, Let’s Encrypt tries retrieving it. If the validation checks get the right responses from the web server, the validation is considered successful and the certificate can be issued.

To implement this in CoreDNS I propose that the underlying Caddy server could be used to serve the file at `/.well-known/acme-challenge/`. I am not familar enough with the codebase of CoreDNS to know how feasible it would be to do this from a plugin - see questions and discussions section.

### DNS01 Challenge
After the CA gives the ACME client a token, the client will then create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. The CA queries the DNS system for that record and the certificate can be issued if it matches.
However, to do this automatically, the DNS provider needs to offer an API by which changes can be made to domain names. Wildcard certificates can be issued with this challenge.

## Deliverables
* The existing TLS plugin will be extended to support the ACME protocol
* It will be possible to setup CoreDNS with a verified certificate, signed by a CA such as Let's Encrypt, without manually generating and renewing it
Expand Down Expand Up @@ -91,20 +106,6 @@ To implement ACME there are a couple packages that we could use to help us such

Deciding for one of these implementation, or potentially even creating a new one, is an outstanding task.

### Challenges

To prove ownership of a domain with ACME, one of the following challenges has to be completed

### HTTP01 Challenge
This requires port 80.

CA gives the ACME client a token which puts a file on the server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. The file contains the token, plus a thumbprint of your account key. Once the client tells the CA that the file is ready, Let’s Encrypt tries retrieving it. If the validation checks get the right responses from the web server, the validation is considered successful and the certificate can be issued.

To implement this in CoreDNS I propose that the underlying Caddy server could be used to serve the file at `/.well-known/acme-challenge/`. I am not familar enough with the codebase of CoreDNS to know how feasible it would be to do this from a plugin - see questions and discussions section.

### DNS01 Challenge
After the CA gives the ACME client a token, the client will then create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. The CA queries the DNS system for that record and the certificate can be issued if it matches.
However, to do this automatically, the DNS provider needs to offer an API by which changes can be made to domain names. Wildcard certificates can be issued with this challenge.

## Storage

Expand Down Expand Up @@ -176,13 +177,13 @@ The worker caches the CERT RR (for X seconds) to reduce querying the master for


**June 13 - September 19:**
* Integrate ACME library (or own implementation if necessary) into TLS plugin
* Implement Challenges
* Develop Tests for ACME challenges
* Start writing documentation
* Start working on cluster implementation
* Develop Tests for cluster implementation
* Finish the documentation
1. Integrate ACME library (or own implementation if necessary) into TLS plugin
2. Implement Challenges
3. Develop Tests for ACME challenges
3. Start writing documentation
4. Start working on cluster implementation
5. Develop Tests for cluster implementation
6. Finish the documentation

I hope to be done by September 01 the latest and have until September 19 as a buffer.
I will also be in contact with the mentors and hope to gather a lot of feedback along the way.
Expand All @@ -192,7 +193,6 @@ I will also be in contact with the mentors and hope to gather a lot of feedback
* Keep Contributing to CoreDNS and possibly other CNCF projects



## Questions and Discussion Topics

1. Do coredns have a domain for testing and development?
Expand All @@ -205,4 +205,7 @@ A lot of this proposal has been reused from a previous attempts [here](https://g

1. [ACME RFC](https://tools.ietf.org/html/rfc8555)
2. [DNS Challenge Types](https://letsencrypt.org/docs/challenge-types/)
3. [Explanation of ACME Protocol](https://www.thesslstore.com/blog/acme-protocol-what-it-is-and-how-it-works/)
3. [Explanation of ACME Protocol](https://www.thesslstore.com/blog/acme-protocol-what-it-is-and-how-it-works/)


[lets-encrypt]: https://letsencrypt.org/

0 comments on commit 827475d

Please sign in to comment.