Project

General

Profile

Story #13446

Updated by Tom Clegg over 6 years ago

Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden. 

 Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup 
 * If cert+key cannot be loaded, error out 

 Reload cert+key if -they change on disk- SIGHUP is received (acmetool or something similar will be refreshing certs) 
 * If cert+key cannot be loaded, log a warning and continue using old cert+key 

 https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/ 

 The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node. 

Back