I’m working on a PKI program for an alt-DNS root project (OpenNIC) and we were looking into various certificate issuance technologies. For very obvious reasons, our users can’t get SSL certificates from mainstream CAs like Let’s Encrypt itself. But I’m a big fan of the ACME protocol and your Boulder implementation, and I was considering setting it up with our own Root CAs so we could finally secure our network.
I see a few people speak of installing Boulder for various testing purposes, but I’m wondering if anybody else is running it from a more production standpoint (I suppose Let’s Encrypt is…). If so, how has it worked out so far and where might one get started configuring Boulder?
I’m no Go expert, unfortunately, so I may have to find some people to help me out, but hopefully Boulder is the solution I’ve been looking for!
Some interesting prior discussion of this can be found in this thread:
I agree that compatibility with ACME (and the existing clients) would be a nice thing for this use-case, so boulder could be a good fit. That said, you'll probably need someone to become familiar with the code base and keep up with the ongoing development to operate boulder in production successfully.
I can’t seem to find it, but not long ago I believe @jsha replied to sort of the same question from someone else, on the forum or perhaps on IRC. As far as I remember, the reply was something along Boulder being quite Let’s Encrypt specific and probably doesn’t suit your needs. A tip was looking at CloudFlare’s PKI/TLS toolkit (CFSSL), probably being more suited.
Can’t find any ACME integration into CFSSL though…
I can’t really tell so correct me if I’m wrong, but it seems to me that CFSSL is more suited towards internal networks in companies, etc where we had reasonable control over all the hostnames and endpoints. Whereas our network is more similar to an entire alternate internet. We allow anybody to register domains on our system and host them wherever (basically we have a bunch of domain registries that just aren’t recognised by ICANN roots) so the user base is spread out and not necessarily trustworthy.
That’s why I was looking into ACME clients and Boulder as a method of verification, because certbot has a --server flag I believe (/or we could modify a third party ACME client to connect to our servers by default) so we could use existing tech to prove ownership in a way that clearly is already working, since it’s good enough for everyone here.
As @pfg said, I’ll probably have to find someone within our community that understands Go a bit more/look into it myself in greater detail. Obviously Boulder is very Let’s Encrypt centric, but when the ideal end goal is to build “Let’s Encrypt for OpenNIC” so to speak, it seems like a good option to try and get working.
That's correct - when we typically get this question it's for internal networks and Boulder/ACME don't really bring much value to that environment. For your use case it sounds like Boulder could be more applicable.
It does We use the same flag for testing against local Boulder instances.
Please feel free to open issues on the repo if you find things that cause you headache. Our primary focus will always be Let's Encrypt centric but generally speaking good software is flexible so I'd hope we can help you out as well.
Thanks! You’re very helpful. I think the main issue will be me being more of a sysadmin than a programmer, and Boulder looks like it’ll need a few (or a lot) of modifications to be usable for us, but I’m sure I’ll find somebody to help me out in that regard, shouldn’t be a problem.
I’ll be sure to post issues if we run into any trouble or find any bugs. Thanks again!
We use the same flag for testing against local Boulder instances.