Software for large-scale integrations?


#1

Is anyone aware of existing software or libraries that are designed to help build large-scale Let’s Encrypt integrations?

I built a custom implementation for my employer, which handles issuance for hundreds of thousands of domains. I imagine that other SaaS and hosting providers have built similar systems.

It’s a shame that we’re all building systems like this from scratch. I imagine that our systems are pretty similar. It would be great if there was some software that providers could build upon, which was designed for extensibility.

I’m imagining something that would:

  • Provide an API where you could give it a list of domains that need certificates.
  • Manage the issuance and renewal of certificates.
  • Allow domains to be assigned to a group, so that they can be issued on a single certificate.
  • Intelligently batch domains in a group to minimize the number of certificates, if desired.
  • Have the ability to mark private keys as compromised, and automate the revocation and replacement of affected certificates.

I’m considering building something like this, but I’d rather contribute to an existing system if something already exists.


#2

Related to something I mentioned in another thread, you might want to look at https://letsdebug.net/ and its code base for sanity-testing whether issuance is likely to succeed (although there are a few tests in there that use CA resources and that an integrator should probably not run prospectively for every single issuance). You could also contribute other tests. This can help reduce the rate of unexpected failed issuances and maybe provide some kind of event logging that can feed back to a user or a support person.


#3

Agreed. Having done the ACME+platform integration dance once or twice now, there’s a lot of hidden things to deal with that you gradually discover (over the range of months and years). Turning this tribal knowledge into software would be great, and is part of the reason I created letsdebug.net.

autocert also essentially implemented the spirit of this idea.

It clearly lacks all of the interfaces required for things like multi-tenancy, certificate name grouping, revocation management etc, but a simple interface that does heavy lifting is a need others have identified already.

If I had to do yet another integration, I would strongly consider just programmatically driving something like acmetool, which essentially just involves creating a bunch of files with

satisfy:
  names:
  - a.example.org
  - b.example.org

and just letting it do its job.

Again, as with autocert, it is missing some critical abilities, but I suspect that improving an existing ACME client (to turn it into a first-class non-interactive client) could be the better use of effort.

tl;dr; +1


#4

Detecting and handling the conditions that cause authorization or issuance failures is definitely one of the more challenging parts of building a robust system. letsdebug and that other thread are pretty interesting.

Thanks for the pointers.


#5

i have a whitelabel PaaS/SaaS at work. We released a tool internally developed for the v1 protocol called PeterSSLs https://github.com/aptise/peter_sslers

it’s a small web-based SQL based certificate manager + client, with integration against OpenResty+Redis for automatically loading certificates on the fly.

we run it on a central node, with other machines proxying http auth onto it and querying it for certs OR telling it to obtain/track a cert. it works well enough.

caveats that I recall:

  • http auth only (no dns)
  • acme v1, not v2
  • it uses openssl via python’s popen to handle all the ssl work. this was a design choice at first, but now a pain. (wanted to ensure the system openssl could read/handle everything)

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.