negbie
commented
4 years ago No good reason. Mostly because of laziness and I totally agree that it would be better to introduce two new flags for cert and key.
Closed rlaager closed 3 years ago
negbie
commented
4 years ago No good reason. Mostly because of laziness and I totally agree that it would be better to introduce two new flags for cert and key.
negbie
commented
4 years ago Btw. did you try to name your cert and key like the generated ones? As far I remember I only generate new one if I can't find a cert and key in that folder.
negbie
commented
4 years ago Mby instead of introducing two new flags it would be enough to mention it in the readme that the user could just put his cert+key with the right name into the heplify-server folder. What do you think?
rlaager
commented
4 years ago Yeah, I named the files heplify-server-key.pem and heplify-server-cert.pem. But the code expects to use those as a CA rather than as a server certificate/key. Unless there is a strong need for the CA approach, I think that is fundamentally wrong and should just be replaced by the server certificate approach. The CA approach seems to be attempting to solve some problem around SNI (automatically issuing server certificates for SNI). The typical way this is handled is to take multiple cert/key pairs for the various SNI names. That would require either more complicated configuration grammar or a directory where the certificate/key files are named with the SNI.
negbie
commented
4 years ago Ah yes, forgot that already. No there is no strong need for the CA approach. I did it mostly because I wanted something you describe in your last sentence with the directory approach but did not finish it.
bashtheshell
commented
1 year ago Can we please reopen this issue or do I need to create a separate issue?
I tried to look into this to see if I can create a PR, but I'm not familiar with Golang, let alone haven't done SSL/TLS programming, to be able to contribute with the limited amount of time I have. I've been at this for weeks, and I struggled to understand why the executable went through this particular function when the non-CA certificates are already provided in the appropriate directory.
lmangani
commented
1 year ago @bashtheshell please open a new issue, you can reference to this one in case of need
Why is heplify-server generating a certificate authority and dynamically generating certificates based on the specified SNI?
I expected it to load a certificate. That is, I have a real certificate (from Let's Encrypt) that I want to use with heplify-server. This does not seem to be a configuration that is supported.