Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feature request: Support for multiple «certificate managers» #3486

New issue
New issue
Open
Open
feature request: Support for multiple «certificate managers»#3486
Assignees
polarathene
Labels
area/featuresarea/scriptsarea/securitykind/improvementImprove an existing feature, configuration file or the documentationkind/new featureA new feature is requested in this issue or implemeted with this PRmeta/help wantedThe OP requests help from others - chime in! :Dstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI
@am97

Description

@am97
am97
opened on Aug 17, 2023

Context

Follow-up of #3485

Besides Certbot and Traefik, which are actually supported by DMS, there are a lot of programs that can obtain and renew SSL certificates (Caddy, acme.sh and many others).

It could be possible to natively support some of these programs by creating «extractors».

Description

Here's an idea of how it might work:

  • Each extractor is a script
  • The user selects an extractor using SSL_TYPE, and mounts the certificates to a fixed location (for example, /certs)
  • At startup, if a extractor is selected, DMS sets the SSL_*_PATH variables to a fixed location and launches the extractor in background.
  • The extractor uses custom logic to periodically extract the correct certificate and key (maybe also alt cert and key) and copies them to a fixed location (given by the SSL_*_PATH variables)
    • It could use inotifywait to wait efficiently for changes in a file/directory
  • The _monitored_files_checksums function is modified to check for changes when an extractor is used, for example: 
      # SSL certs:
if [[ ${SSL_TYPE:-} =~ ^manual$|^certbot$|^traefik$|^caddy$ ]]; then
  STAGING_FILES+=(
    "${SSL_CERT_PATH:-}"
    "${SSL_KEY_PATH:-}"
    "${SSL_ALT_CERT_PATH:-}"
    "${SSL_ALT_KEY_PATH:-}"
  )
  • That way, when any of the SSL_*_PATH changes, the SSL setup would run again

This could be optimized in a second phase:

  • The _check_for_changes function is currently called like that: 
    while true; do
  _check_for_changes
  sleep 2
done
    This could be changed to use inotifywait: there could be a background script that listens for changes in postfix / dovecot config and calls the necessary functions where there are changes, and each extractor also calls the necessary functions when there are changes in the SSL files.

Alternatives

Another approach could be to use a separate container for the extractors. The advantages would be that there is no need to modify DMS code (we could just use SSL_TYPE=manual), and more security (just the necessary certificates would be exposed to DMS), but it would be more complicated for the final user, and use more resources.

Applicable Users

This would be useful for easily adding support for more «certificate managers». I'm willing to add support for Caddy, which would benefit users of DMS+Caddy.

Are you going to implement it?

Yes, because I know the probability of someone else doing it is low and I can learn from it.

What are you going to contribute?

I can implement the framework for the extractors, and a Caddy extractor.

Metadata

Metadata

Assignees

Labels

area/featuresarea/scriptsarea/securitykind/improvementImprove an existing feature, configuration file or the documentationkind/new featureA new feature is requested in this issue or implemeted with this PRmeta/help wantedThe OP requests help from others - chime in! :Dstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions