I’m currently working on adding support for TLS/SSL certificates within a piece of software I’ve been working on that is basically its own web server and web host all in one, written in Golang.
Here is the software (under development) that I am referencing.
I want to make it easy for clients to utilize certificates issued by LetsEncrypt through the CLI of CertBot. I started to look into the process of doing this and I just want to make sure I’ve understood correctly.
This software is most likely always going to be ran on debian based Linux systems. During the install of the software referenced above, if I ensure that CertBot is installed (and if its not, install it for them through a shell script), it should allow all clients that SSH into their /home/ directory to generate TLS certificates/keys through a few simple commands. I want to make sure my understanding is correct before I go through with implementing this feature.
If you’re going to handle the certificate management yourself, you might want to consider one of the other more lightweight clients. (You could also conceivably use one that’s already in Go.)
How do you anticipate that the users are going to prove their control over the domain name to the CA?
Well their domain will already be linked and serving out of a directory within their own /home/ directory which they have SSH access to. I could write a shell script to more or less automate the process of a temporary file being added to their document root to allow the CA to ensure that they actually control the domain.
I’m not going to lie, TLS/SSL are things, especially in a broad sense like this (in a server environment), that are very new to me.
Feel free to school me on this subject, I would appreciate it.
That sounds fine! How about configuring the web server to use the certificate after it’s obtained? Is there something running as root that will be able to take care of that?
Yes, within the domain router I’m looking for those certificates within their /home/ directory if someone attempts to access the site from the HTTP protocol, if they exist I attempt to redirect them using HTTPS. I might also utilize the Strict-Transport-Security response headers to let the browser know that the site uses HTTPS and to do all of the redirection heavy lifting for me.
Should I utilize those headers by default, or have a toggle within the client’s web-hosting interface to allow those to be set? The only concern I have is if the certificates go out of date and the client doesn’t take action to update them in a timely manner, it would render the site useless to anyone who has visited the site previously and has set those flags within their browser.
Setting HSTS for other people without their knowledge is probably an unreasonable risk for them at this point, because they may not realizing that they’re incurring a commitment to maintain HTTPS service throughout the HSTS validity period.