search

valters / play-acme-protocol

Instantly set up Let's Encrypt HTTPS certificate for your PlayFramework app and start serving HTTPS.
Apache License 2.0
12 stars 0 forks source link

Use as library in Play? #1

Open wsargent opened 7 years ago

wsargent commented 7 years ago

Hi Valters,

Really like what you've done with the set up -- would you be able to generalize this into Play itself, so that Play applications could use https automatically as a sample project? What do you think would be the best way to set up a Play application?

Ideally we'd put this into the starters and seeds at Play: https://playframework.com/download#seeds so it could be something that people could disable as need be, but would be "secure by default".

wsargent commented 7 years ago

Adding https://github.com/playframework/playframework/issues/7072 as play issue tracker

valters commented 7 years ago

Hi Will,

Yes I would love to see this idea become part of Play. There are few things to think about for now:

1) Certificate renewal.

I have not figured this out completely yet. (When time rolls over to renew cert for first time I guess I will figure it out.) The thing is, from docs I kind of gather they give you new cert, you replace the old cert in your keystore, and you are good to go (possibly after restarting the server). But is that really so? Won't the browsers start complaining about cert suddenly being different? Was there some sort of chaining scheme required, where the new cert is somehow added on to previous cert?

I don't completely get this, but probably will need to read up on what exactly Certbot does, and how exactly browsers handle it.

2) For late endgame I would love to fix up a custom "SSL provider" to allow seamlessly retrieving the first certificate on clean start (I mean, app can start serving HTTPS without scary warnings, similar how Play will auto-generate self signed cert if you request starting with HTTPS but nothing else configured. Play self configures.)

3) Dependencies:

3.1) JOSE/JWT library for signing ACME requests. The JWT signing of JSON is fairly straightforward, in fact it can be implemented as couple methods (Base64 + BouncyCastle), and the Nimbus library I used is somewhat overkill - it tries to be everything for everybody. We just need the subset that is required to talk to ACME. Maybe there is a smaller lib that Play officially prefers that can do JWT?

3.2) Probably will require Bouncy Castle for crypto. (But isn't that a default anyway already.)

wsargent commented 7 years ago

I am addressing JWT support through https://github.com/playframework/playframework/pull/7053 for session cookies, since that is the library with the most minimal library dependency footprint.