Story #13446
closed[keepstore] secure keepstore traffic with TLS
100%
Description
Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden.
Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup- If cert+key cannot be loaded, error out
- If cert+key cannot be loaded, log a warning and continue using old cert+key
If cert+key locations are not configured, just serve plain http as before.
https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/
The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node.