kpcyrd / acme-redirect Goto Github PK

When trying to install the package under Debian 12 Bookworm:

apt update && apt install acme-redirect
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://apt.vulns.sexy stable InRelease [1,804 B]
Get:5 https://apt.vulns.sexy stable/main amd64 Packages [1,376 B]
Fetched 3,180 B in 1s (2,978 B/s)    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: https://apt.vulns.sexy/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 **acme-redirect : Depends: libssl1.1 (>= 1.1.0) but it is not installable**
E: Unable to correct problems, you have held broken packages.

Debian 12 Bookworm uses OpenSSL 3.0.x, as OpenSSL 1.1.1 is no longer maintained for this distro + will be EoL in September 11th 2023

Is there any workaround or update to keep using acme-redirect ?

Thanks.

Currently there is no way to force a renew of certificates when they are not expired. This is needed when the configuration changes (e.g. adding a new subdomain).

There are currently two places where the group is relevant:

• /var/lib/acme-redirect/ - systemd-tempfiles or openrc create this folder owned by acme-redirect:acme-redirect and 0750.
• /var/lib/acme-redirect/certs/*/privkey - created during renew and is set to 0640. Since you're likely to need root for your reload hooks the group for this file is likely to end up as root.

Services usually load the configuration privileged so this is not an issue, but they may need to be part of a specific group that is then granted access to /var/lib/acme-redirect/ and /var/lib/acme-redirect/certs/*/privkey.

The config should have an optional value that (if set) enforces a specific group if the group wasn't already set correctly during creation. The default configuration should set this to acme-redirect to match existing setups (development is going to need a different config), even if the renew is executed in unprivileged mode. If renew is executed by root we have the permissions necessary to update the group accordingly.

Our config value should be used for both of them, to ensure acme-redirect and systemd-tempfiles don't change this back and forth. /var/lib/acme-redirect/ can only be created with root permissions, so this is going to be done during the daemon setup (which is the most reliable way for us to ensure the setup can be done as root).

The owner for this folder is going to be:

• set according to the --user option in acme-redirect daemon if set
• left as-is if it isn't set
• if it doesn't exist we're going to create it with the owner being the current user (which is likely to be root)

Creating the folder with openrc or systemd-tempfiles isn't necessary afterwards.

Would it be possible to implement a pre-hook script, as certbot does?
Thanks.

Lighttpd seems to prefer the certificate in this format. This currently requires scripting in the exec hooks.

Hi. Is it possible to provide a pure Rust-based generation of certificates (that avoids openssl)? There seem to be libraries/apps that generate certificates using Rust already: https://crates.io/crates/certainly

Avoiding openssl makes sense for users who are worried about openssl vulnerabilities and [unnecessary] complexity.

Using the pure-rust implementation could then be hidden under a feature flag if openssl is desired to be used by default.

Right now the data dir seems to rely on either the default or run time flags. This does mean it can be set in a systemd service, but that makes changing the location difficult when installed from system packages. It also means every invocation from the CLI needs the matching data argument.

I suggest a certificate_dir or similar key in the [acme] section of the global config. This would simplify the necessary service files and allow CLI usage without flagging it every time. Moving the data dir out of /var/lib will be far more common than moving the system config file out of /etc.

Maintaining a list of exec hooks for every certificate can be tedious, instead we should have an extra list that applies to every certificate config in addition to individual configuration. Things like reloading nginx could qualify as a global hook.

If so, how to do so should probably be documented.

If not, can they be?

My use case is trying to setup an Apache HTTPS proxy in front of a GitLab Pages daemon. The latter has it's own certificate handling built in but using it requires running it on both port 80 and 443. That of course is precluded by my having only a single IP to work with, running acme-redirect on port 80 and Apache on 443 (with a mix of native sites and proxies to other daemons).

If it matters, by hope would be to get a wildcard cert for sub-sub domains (the main domain for my pages instance being itself a subdomain). If that's not possible of course a regular subdomain wildcard could work, I'd just have to purpose a new domain for it.

Built here: https://copr.fedorainfracloud.org/coprs/cyqsimon/acme-redirect/

Makes life easier for guys like me running RedHat servers

You can find the spec file's source here: https://github.com/cyqsimon/acme-redirect-spec

Installation instructions

dnf copr enable cyqsimon/acme-redirect
dnf install acme-redirect

Not much of a change, but the write bit for the owner shouldn't be necessary, so we shouldn't set it when writing the new certificate to disk.

mosquitto wants a file that contains only the CA chain. acme-redirect should create this file when writing the certificate to disk.

Err:5 https://apt.vulns.sexy stable InRelease
The following signatures were invalid: EXPKEYSIG 45A650E2638C536D kpcyrd [email protected]
Fetched 14.0 kB in 1s (10.3 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.vulns.sexy stable InRelease: The following signatures were invalid: EXPKEYSIG 45A650E2638C536D kpcyrd [email protected]
W: Failed to fetch https://apt.vulns.sexy/dists/stable/InRelease The following signatures were invalid: EXPKEYSIG 45A650E2638C536D kpcyrd [email protected]
W: Some index files failed to download. They have been ignored, or old ones used instead.