Out-of-the-box OpenLiberty support for letsencrypt.org TLS certificates?

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment

https://openliberty.io

Eclipse Public License 2.0

1.14k stars 587 forks source link

Out-of-the-box OpenLiberty support for letsencrypt.org TLS certificates? #2930

Open hrstoyanov opened 6 years ago

hrstoyanov commented 6 years ago

The very popular letsencrypt.org offers free (relatively short-lived) SSL certificates. It implements ACME (see also ACME4J) protocol to obtain/renew certificates, which would need to be implemented by OL, but is not compatible with the clunky keystore file approach. Any plans to seamlessly integrate with letsencrypt/ACME?

NottyCode commented 6 years ago

I'm not going to go as far as say plans, but I agree it would be a cool thing to do. I think one reason it hasn't been done in the past is because app servers are often deployed with the SSL being terminated ahead of the application server at which point it wouldn't be useful.

hrstoyanov commented 6 years ago

So what is the status of this? This month (July 2018) Chrome starts warning users whe visiting sites that use HTTP. Therefore, if one ones to use OL and the free and awesome letsencrypt.org, she will have to put a letsencrypt-friendly proxy (Apache/NGINX), which is pretty ugly and redundant.

hrstoyanov commented 6 years ago

@aguibert , @acdemyers Any hope for this feature? As you know, Google Chrome will mark all HTTP connections as unsafe with the next Chrome release. letsencrypt.org offers a free way to secure web app.

Without built-in support in OL, one has to:

Frontend his/her OL-based web app with Apache or NGINX (which already integrate smoothly with letsencrypt) or even Istio.
Switch back to the old way of purchasing certificates, building key stores, etc.

acdemyers commented 6 years ago

@hrstoyanov This is still under consideration.

jtmulvey commented 5 years ago

As Alaine mentioned, this support is under consideration. At the moment it's in a prototype stage and the design will begin shortly.

tevans78 commented 5 years ago

This issue is still being investigated.

acdemyers commented 5 years ago

This is still be investigated.

tevans78 commented 5 years ago

Ongoing

jtmulvey commented 5 years ago

Most of the design work on this item is completed and we're starting to evolve the prototype to real implementation. It should be delivered soon (two or three months).

acdemyers commented 4 years ago

Being worked under #9017

jtmulvey commented 4 years ago

@hrstoyanov We are very close to delivering this support. Any interest in trying this support out pre-GA?

hrstoyanov commented 4 years ago

Will try depending on my time, thank you very much!

/Hristo Stoyanov

On Tue, May 5, 2020, 13:17 James Mulvey notifications@github.com wrote:

@hrstoyanov https://github.com/hrstoyanov We are very close to delivering this support. Any interest in trying this support out pre-GA?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenLiberty/open-liberty/issues/2930#issuecomment-624283087, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIURRB4RWQM4H4BRFHIVL3RQBX4JANCNFSM4EYQF5AA .

inad9300 commented 1 year ago

Has this been completed? Is Automatic certificate management with ACME the result of this work, or is what you want to accomplish here something else?