New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: combined privkey and fullchain file for jabber servers #5087
Comments
I think this makes sense, and has been requested in #1250. Additionally we've discussed the design of this in #1201. |
Thanks for the response and links. So, there is a possible additional case for lighthttpd that requires only privkey and cert to be bundled but not chain... Actually, even jabberd2 can take an additional chain file (I'm not sure whether it could be equally happy with and without chain in the combined one). We should try and list all the funny formats to figure out whether there are any more cases (different concatenation order required or something) but hopefully we can make do with just two files (privkey + cert and privkey + cert + chain). Question of naming those files got even more complicated. privkeycert.pem and privkeyfullchain.pem, maybe? (The latter sounds gross but is more or less consistent with current naming convention and it's intuitively easy to guess what's inside and in which order.) I'd say let's generate those files by default unless various servers need more than these two formats. And if there are too many possibilities, we should make a flag that sets extra formats required (something like I'm gonna do some research on formats servers expect and report back in a few days. |
Awesome - let me know what conclusions you come to! |
While I think we should do something here, I think implementing this will be somewhat controversial within the Certbot team. Here's a post from @schoen, the most active member of the Certbot team on Let's Encrypt's community forum, saying that using the wrong file is the most common post-issuance problem. I feel like adding more files here (at least by default), will just exacerbate this issue. That's not to say we can't do this, just that it should be designed carefully to avoid confusion from sysadmins of any skill level. @SwartzCr, is there are a reason to keep both this issue and #1250 open or can they be consolidated into a single issue? |
I'd be happy with having all cert bundling issues bundled into one issue about cert bundling |
Brad, I agree, it should be designed carefully. That's why I opened this ticket to discuss design and reach agreement on things instead of starting coding right away.
And if we decide that optional bundling is less confusing, that's also an option (I'm pretty sure I can use it either way, the question is what is more useful for average users and more secure). We could also document recommendations for popular server software (I'm still doing that research I wanted to do), which files should be used for what. Or something else, maybe.
However we do it, I'm pretty sure some kind of built-in bundling should produce fever errors than hooks or, worse, wrapping renew command into a script that rewrites bundled files and does other unconditional things (which was a common pattern with older versions, before renew-hook).
|
I appreciate that and your interest in working on this topic all together. Again, I definitely think we should do something here.
I completely agree with this. Despite my concerns with creating these files by default, if we can do this in a way where we feel confident we'll avoid confusion for most people, I'm fine with this approach. If we don't think we can make the differences between the files clear though, I think the user should be able to configure which files get created. If we go this route, it's slightly unfortunate from a consistency point of view that we currently create |
My instinct is that we could add extra files if and only if the user requests them with a CLI flag. There would be some architectural decisions to make about how these options are controlled by Authenticators and Installers. Conceptually it makes sense to make the new files at auth time, but installers (for instance, a hypothetical jabberd installer) might sometimes want to enable these options on the user's behalf, with somewhat tricky consequences. |
I think that was basically a restatement of this comment. We should close either that old issue or this new one as a dupe perhaps :) |
Per #5643 , this would also be useful for courier-imap. |
Stumbled on this exact problem, ran into this bug. A far greater problem than using the wrong file is not having a file at all - which totally destroys the point of letsencrypt existing in the first place. Both jabberd and certbot have taken opposing ideological stands, and the people who lose out are end users like us who find certificate deployment way harder than it needs to be. Certbot already provides four different files, providing a fifth option (and a PKCS12 option) is in no way making the situation worse. |
This script is a workaround, but warning - it creates a file in the live directory instead of symlinks, which is non ideal. `[root@localhost ~]# cat /etc/letsencrypt/renewal-hooks/deploy/fullchainprivkey cat "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/privkey.pem" > "$RENEWED_LINEAGE/fullchainprivkey.pem" ` |
Not to be a Bumping Betty, but is there any progress on this? I see the point of having a discussion, but arguments have been made, counter-arguments have been made... then a year of silence. Does anyone have the authority to make a final decision? It's a simple implementation, desperately needed for people who use lighttpd and similar, and it's lingered in the discussion phase for three years. |
There has not been. In the duplicate issue about this I said:
Also, while this is already referenced above, if anyone needs help coming up with a workaround for now, you can see my comment at #1201 (comment). |
OK... cool. I'm not a python expert, but I know how to concat strings. 😃 Never contributed to open source before either but I'll give it a whirl. I have one question: What should the new file be called? Some workarounds I've seen cat the file into |
That'd be great @keith24! I recommend you look through the discussion in this issue, #1250, and #1201 and write up a short proposal for how this work (e.g. is the file created by default?) and include a suggestion or two for the name of the file. Like you alluded too, concatenating strings is pretty easy, but there's been a lot of concerns about different aspects of the design here. |
OK. I read through those discussions. Here are some questions that came up, and my proposals:
Are there other concerns I missed? Does anyone have an issue with the proposals? I see arguments going both ways but I'd like to see something actually happen rather than an eternal debate. |
Regarding point 3: These are longer, but seems more clear to me: That said, I certainly wouldn't cry over your original suggestion. I'd far rather have the file than not. :-D Regarding points 1 & 2: I'm in total agreement. |
Just a little contribution. Since key is appended before the fullchain, name should be |
Yeah, I also thought about That raises another concern... Does the order matter? Do any of the servers expect the key or the chain to be first in the file? All the workarounds I've seen put the chain first... |
OK, the key goes first. I like the underscore... Its readable too. |
Our concern here isn't the computational complexity of catting 2 files. It's a UX and project design concern for the overall project.
Although I personally disagree with this point-- I think that the name |
While we'd still like help designing and implementing this, I'm assigning @sydneyli as she volunteered to help from our end with the design here. |
@Harvie |
I think it would be better to send a patches with the fullchain support to all the legacy programs. As far I see some of them like lighttpd already support this. |
This problem (and problems like it) annoyed me so much I made this to solve it: Suck in the certs generated by certbot, write out the certs/chain/root/keys in whatever weird combination required as a one liner. Test it here: https://source.redwax.eu/svn/dist/rt/dev/, binaries here: https://copr.fedorainfracloud.org/coprs/redwax/rt/ |
Sorry for the stupid question: what was the initial purpose to store priv key, public cert and chain separately? You anyway can't establish TLS connection without all of them. Having the three files (ok two if use fullchain) increases complexity. |
But you can't really get complete list of such applications and you cannot be sure their community will allow for easy 3rd party contributions. Not everything is FOSS. If you fix it in certbot, you only have to fix it in single place and the fix will be easy. Otherwise you have to fix it in every app that is out there, which seems rather hard. Imagine that 5 years from now you will need some obscure application which has not been fixed yet, because you haven't used it so far. If we fix now in certbot, there will be no problem. Otherwise you will have to get that fixed once again in some weird app and live for two years with custom build of that app until it gets merged to Debian. |
Thank you @Harvie, I totally agree with you. I don't insist to force everyone to use a single file with all certs. But if I understood correctly this would be a good "default" option. Even more: the lighttpd, postfix and some other apps like emailrelay initially expected such a single file with all needed included. |
maybe that filename should contain |
I just googled and it looks like mentioned here postfix, lighttpd and ejaberd now supports specifying both privkey and fullchain separately without a concatenation. So the issue is not that important anymore. The question is remains if the single all-in-one cert file makes sense. Except of the single For the Apache HTTPD you can actually use such all-in-one file for the SSLCertificateKeyFile config. But there said:
I think that reasons why it's discouraged was the same as mentioned here. Still this is an open question Why store Apache SSL certificate and private key in separate files?. Interesting that looks like such pubpriv pem files aren't specified anywhere. For Windows and ISS web server you can import only a .pfx file which is PKCS12 archive that contains fullchain and privkey. Such a file has an advantage that it's recognized by Explorer and you can easily import it by a double click. Also you may set a password for it. This is a binary format so it uses less space. But it can't be just written somewhere in configs. I don't think that's so important. BTW Windows Explorer doesn't know about the |
Confirming: lighttpd has supported Aside: lighttpd has also supported TLS-ALPN-01 verification challenge (https://wiki.lighttpd.net/HowToSimpleSSL) since Jan 2019, but you have to use |
I've just come across this thread after searching for a way of doing this for my SIP server - flexisip. It requires a combined cert and private key file for TLS connections. |
@RaddishIoW oh. you must be new here :-D |
Haha - yes, reading the thread it would seem this is not something that will happen soon.. I did however go on to discover post-deploy hooks, so am using a shell script to |
@RaddishIoW instead you can ask or send a PR to the flexisip. I asked an author of EmailRelay to do that and he implemented easily. |
I still don't get this "we're right and everyone else is wrong" idea... Why everyone else should be adapting to behaviour that can easily be fixed in single point? |
So, I have moved my old certbot-extra-formats into a standalone repo. |
After 7 years could you make a decision to implement this or not? Personally I think FOSS should make our lives easier not harder. |
@mrx23dot which app are using that still can't accept two files? |
All the tutorial for lighttpd was written using the merged pem, so this will resurface again and again, even though it has been fixed as I read. I don't know about you but I wouldn't waste a minute more on this, there are more important things to do. There is no security implication generating: If you insist: |
@stokito wrote:
The problem is not restricted to the question whether the application can or cannot accept two files. Having everything in a single file has other benefits, too. For example, Postfix can accept two files (or even three files with key, own cert and chain), but a single file is recommended due to the option to exchange the file atomically. I quote from #9915 which has just been marked as duplicate:
And yes, I can try to implement my own shell script and then call it from the post deployment hook, but as Certbot already creates four files it shouldn't be that difficult to create another fifth file and solve that aspect at its root. |
The problem may occur only if:
This is highly unlikely and other servers doesn't care.
If you came here and asking for a help and someone proposed a help to you then better to spend a minute. I already contributed to one server to implement the separate key and cert files support and can help with others. If you are using lighttpd you already have a solution and you can save your precious minutes.
But even if the LE will implement this you anyway have to upgrade to use new feature. |
@stokito wrote
Not quite. Postfix does not need to be restarted to read the new key and old cert. Postfix uses multiple processes to serve client requests. A Postfix "worker" process (term coined by me) lives for a certain amount of requests. After that the process dies and a new worker process is spawned. When such a worker process is started, it picks up the current key and cert file. That is why the documentation says
Per default each worker process serves 100 requests. See Postfix Configuration Parameters – And no, with a high-volume mail server which handle several 100 mails per minute, the chances are not so low that a new worker process is spawned just while Certbot renews the certificate.
I do that right now, but this solution is far from optimal, because this means that there is a short period of time during which Postfix does not respond to new connections. It would be much better if certificate renewal was atomic. |
You better to report this to Postfix as a bug. They should ether change their weird pseudo unix architecture (unlikely) or check a timestamp of both files and wait for the cert to be updated. Instead of waiting they can use an old key even if it's file was overwritten. basically you can use an old cert for days before it gets expired. See, even the one file write is not atomic. You may use inotify to see that actually a lot of things may happen before the That's why the only guaranteed signal is a renewal hook. |
As long as you create temporary file and then mv it to destination (which often times is the only correct thing to do) it is extremely atomic. (unlike moving two files). |
Everyone things everyone else should solve the problem. I eventually solved it like this:
Point --pem-in at wherever the certs and keys are. Postfix certs, keys, ca certs are written key first in files specified. |
At this moment, both ejabberd and jabberd2 require private key and certificate to be combined in a single file. Jabberd2 maintainers even explicitly refused to add an option for separate files and I strongly suspect that with ejabberd it would be the same. I don't have a complete list but I also suspect that there are other pieces of software with similar requirement. So I think it's safe to assume that we do have a use case, albeit slightly specialized one.
It was never a bit deal with certificates valid for a year or longer, just a simple
cat
command very similar to one you need for other servers if you don't have a fullchain in your CA bundle and the same can be used with certbot as arenew-hook
but I think it would improve learning curve and eliminate human factor better if we had a option (or maybe even default action) instead.For example,
cat
hook might have a problem with file permissions. Or it can fail for some reason and leave "combined" file not updated without user noticing. Or in case of revokations and deletions it's very likely that user will forget to add a delete-hook (is it even possible?) and invalid certificate will continue to be used. Then cat-ed file will be a real file unlike other four which are usually symlinks which open waay for yet another set of possible inconsistencies. And overall I feel that hooks should be used to reload servers, not for cert files manipulations.Not to mention that inexperienced users may find it hard to figure out what hooks are and how to use them for this (and option that specifically mentions some of the servers that need it and standard path for the combined file that configuration guides/examples can use are way easier to find and use with less room for error).
So I propose to add an option to certbot that will combine privkey + cert + chain and put it into fifth file alongside the usual privkey, cert, chain, and fullchain. It's a pretty straightforward enhancement that is extremely unlikely to make code worse or break anything. It would be even simpler if we just added a fifth file by default but to that there might be some objections.
I am a python programmer and I can code everything myself and provide a PR but first I want to have a discussion to settle certain key details:
What is the best name for the fifth file? combined.pem? keycert.pem? everything.pem? Something else? (Although I need it for jabber servers in particular I think name should be more generic.)
What is the best name for the option?
--combine-key-and-cert
?Should it be optional or default? Optional is probably makes more sense as not everybody needs it but default would result in cleaner code and it is pretty straight-forward with few downsides.
Is there any particular reason not to implement this at all? I don't see any but maybe I'm missing something.
The text was updated successfully, but these errors were encountered: