docs: We need to mention why Let's Encrypt can't work

[paulproteus]

Context:

• @nbraud just asked me if we can issue Let's Encrypt certs for each grain/app/session/etc.

Proposal:

• We should probably make https://docs.sandstorm.io/en/latest/search.html?q=let%27s+encrypt provide some relevant info.
• Perhaps we should dig up the info from that email list thread and put a summary on https://docs.sandstorm.io/en/latest/administering/wildcard/

[voidplayer]

certbot for main domain and sandcats wildcard cert for the random domains using a reverse proxy is some optimal configuration using certbot for those who want to go the extra mile configuring it

[paulproteus]

I am under the impression that if you do this, the grain-frames will not be able to set their cookies if the user has "block third-party cookies" enabled in e.g. Chrome: https://support.google.com/chrome/answer/95647

I believe that's a somewhat common configuration, but who knows, but if people try it, now you know one possible reason it might not work.

[voidplayer]

Good catch!

It works on firefox because I guess it doenst block third party cookies

I was using cookie monster that block third party cookies and doesnt allow you to white list a domain, just allow them globally. Im a heavy firefox profile user and so I created a profile without cookie monster for sandstorm and it works for me(tm)

If you are willing to go the extra mile configuring it, i believe its an optimal configuration for self-hosting, since it allows you to have a cert for your own domain and the wildcard are only used with websockets (virtually invisible for the final user)

At least until wildcard certs are available from certbot (hint: they are not even in their roadmap). Startssl have tools to autogenerate wildcard certs right now (similar to what certbot does), but they ask you a lot of data beyond proving you are in control of the domain, which make them useless to me

[paulproteus]

Thanks!

Do note that the wildcard hosts are also used for regular HTTP, not just WebSockets; see also https://docs.sandstorm.io/en/latest/developing/path/ .

[kentonv]

Ironically, in the early days of Sandstorm we primarily saw this problem on Firefox (which seemed to block third-party cookies by default) and not on Chrome (which didn't, at the time).

[xet7]

@paulproteus @kentonv

Now that Caddy 0.9 supports Wildcard SSL with max_certs option added, would it be possible to use Sandstorm with Caddy?

https://caddyserver.com/docs/tls

https://forum.caddyserver.com/t/wildcard-automatic-ssl-certificates/355

[zarvox]

@xet7 It's possible that you'd be able to set it up, but I recommend against doing so because:

• you'd hit LetsEncrypt's ratelimits (something like 20/week, per https://letsencrypt.org/docs/rate-limits/ ) quite quickly, at which point all interaction with grains or anything else on the randomly-generated would probably fail entirely. Remember that Sandstorm creates a new domain for every user session of every grain, for reachability self-tests, for each API endpoint, for each static publishing endpoint, for its own static assets, and for identicons, so you could easily blow through your limit in less than a minute of usage.
• you'd still be leaking the subdomains to the Certificate Transparency logs, which means you lose one of Sandstorm's defense-in-depth mechanisms, as well as making all static publishing URLs public by default
• even if it all that works, and you keep your usage below the ratelimits, you'd still be incurring the cert-generation latency every time you or anyone else opens up a grain, so add the LE validation + issue latency (which for me is usually two digits of seconds latency) to every time you open a grain.

Dynamic provisioning of per-hostname certs really isn't viable here.

[nbraud]

@xet7 To complete @zarvox's reply: those are not wildcard certs: Caddy just acquires the cert on-demand

[xet7]

@zarvox

Would it be possible to use Caddy instead of sniproxy in front of Sandstorm, so that Caddy would use sandcats.io SSL cert for sandcats subdomains in Caddyfile TLS options , and then have some Caddy Let's Encrypt domains proxy to Sandstorm grain WordPress static hosting files and SandForms survey pages?

[paulproteus]

Hi @xet7 ,

It looks like using caddy instead of sniproxy would be totally fine, for static publishing domains!

[voidplayer]

wildcard certificates are coming to certbot jan next year!

https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

[ocdtrekkie]

@voidplayer Yup! We've got a thread on sandstorm-dev about it already :D