Project

General

Profile

Actions

Story #13446

closed

[keepstore] secure keepstore traffic with TLS

Added by Tom Clegg over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Keep
Target version:
Start date:
05/09/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
1.0
Release:
Release relationship:
Auto

Description

Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden.

Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup
  • If cert+key cannot be loaded, error out
Reload cert+key if they change on disk SIGHUP is received (acmetool or something similar will be refreshing certs)
  • If cert+key cannot be loaded, log a warning and continue using old cert+key

If cert+key locations are not configured, just serve plain http as before.

https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/

The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node.


Subtasks 1 (0 open1 closed)

Task #13462: Review 13446-keepstore-tlsResolvedPeter Amstutz05/09/2018

Actions
Actions #1

Updated by Tom Morris over 6 years ago

  • Target version set to 2018-05-23 Sprint
  • Story points set to 1.0
Actions #2

Updated by Tom Clegg over 6 years ago

  • Assigned To set to Tom Clegg
Actions #3

Updated by Tom Clegg over 6 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Tom Clegg over 6 years ago

  • Description updated (diff)

13446-keepstore-tls @ b4a283a9f142209b22fabda98ea2573cf0dbe281

New config parameters added:

TLSCertificateFile:                                                                                                                        

    Path to server certificate file in X509 format. Enables TLS mode.                                                                      

    Example: /var/lib/acme/live/keep0.example.com/fullchain                                                                                

TLSKeyFile:                                                                                                                                

    Path to server key file in X509 format. Enables TLS mode.                                                                              

    The key pair is read from disk during startup, and whenever SIGHUP                                                                     
    is received.                                                                                                                           

    Example: /var/lib/acme/live/keep0.example.com/privkey                                                                                  

Actions #5

Updated by Tom Clegg over 6 years ago

  • Description updated (diff)
Actions #6

Updated by Tom Clegg over 6 years ago

  • Description updated (diff)
Actions #8

Updated by Tom Clegg over 6 years ago

checked with ops about config/docs in note-4 → "sounds reasonable"

Actions #9

Updated by Peter Amstutz over 6 years ago

This business of circulating the current certificate through a buffered channel seems excessively clever compared to a plain old mutex, but it seems to be sound.

LGTM.

Actions #10

Updated by Ward Vandewege over 6 years ago

  • Status changed from In Progress to Resolved
Actions #11

Updated by Tom Morris over 6 years ago

  • Release set to 13
Actions

Also available in: Atom PDF