Feature request: Support using existing certs in manual mode

sasa1977 / site_encrypt

Integrated certification via Let's encrypt for Elixir-powered sites

MIT License

462 stars 33 forks source link

Feature request: Support using existing certs in manual mode #35

Closed lawik closed 3 years ago

lawik commented 3 years ago

I have a client with an on-prem product. Some people will deploy the solution on an internet-facing host and then we can use SiteEncrypt just fine. If they want to do SSL-termination and just HTTP we can use the HTTP port and keep SiteEncrypt on manual. Maybe not even start he HTTPS port.

But if they want to bring their own certificate I think it would be neat to be able to provide them to SiteEncrypt and SiteEncrypt can slurp them into the DB-shape it likes.

I read in some other thread that this is doable by manipulating the db-structure but I'd rather be on an intended track.

Does this make sense? Worth a PR?

sasa1977 commented 3 years ago

If they want to do SSL-termination and just HTTP we can use the HTTP port and keep SiteEncrypt on manual. Maybe not even start he HTTPS port.

Yeah, in this scenario I don't see the point of using SiteEncrypt. It could still be useful to start the HTTPS port in local dev, but then I'd use a self-signed certificate (which would be committed in GH repo) and hardcode the HTTPS config.

But if they want to bring their own certificate I think it would be neat to be able to provide them to SiteEncrypt and SiteEncrypt can slurp them into the DB-shape it likes.

So if I get this right, in this scenario there is a valid certificate obtained through other channels (and possibly even from other provider), and you'd like to start with that certificate, but then going forward the system would obtain new certificates using SiteEncrypt?

lawik commented 3 years ago

Ah, not quite.

So I want to support three scenarios depending on runtime config:

HTTP without SSL
Automatic SSL in public using SiteEncrypt to create and update cert
Bring your own, simple SSL config, basically defsult Phoenix SSL support

So to support all of these SiteEncrypt needs to exist in the built release. Maybe I'm missing an obvious way to configure it to be inactive. I'll admit I haven't dug through how the certification function actually makes the stuff happen.

sasa1977 commented 3 years ago

Sorry for the late response, things have been hectic here.

I wonder if this could already be done without any changes to SiteEncrypt:

For HTTP without SSL, you could use the :manual mode and skip {:ok, SiteEncrypt.Phoenix.configure_https(config)} in the endpoint init callback. For custom SSL, instead of invoking configure_https, you can return your own SSL settings.

Alternatively, instead of using the :manual mode, you could skip SiteEncrypt altogether. During the app boot, depending on runtime config (e.g. OS or app env), you either provide {SiteEncrypt.Phoenix, MyEndpoint} or just MyEndpoint as a childspec in the supervisor tree.

Does that make sense?

lawik commented 3 years ago

Cool, thst gives me everything I need and the second suggestion makes me facepalm becsuse that seems like something I should have realized :D

Thanks