From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=DATE_IN_PAST_12_24
	autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 22917 invoked from network); 5 Jul 2021 03:44:30 -0000
Received: from 1ess.inri.net (216.126.196.35)
  by inbox.vuxu.org with ESMTPUTF8; 5 Jul 2021 03:44:30 -0000
Received: from 5ess.inri.net ([107.191.111.177]) by 1ess; Sun Jul  4 20:55:01 -0400 2021
Received: from [127.0.0.1] ([104.59.85.219]) by 5ess; Sun Jul  4 11:30:12 -0400 2021
Date: Sun, 04 Jul 2021 11:30:10 -0400
From: Stanley Lieber <sl@stanleylieber.com>
To: 9front@9front.org
In-Reply-To: <8C888BE430C392CE31D2CFCF57DD01A3@eigenstate.org>
References: <8C888BE430C392CE31D2CFCF57DD01A3@eigenstate.org>
Message-ID: <1250D635-BD43-467A-897F-A3FBA7296989@stanleylieber.com>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: RESTful advanced polling callback AJAX over SQL reduce/map high-performance solution 
Subject: Re: [9front] aclient: a draft.
Reply-To: 9front@9front.org
Precedence: bulk

On July 3, 2021 8:52:08 PM EDT, ori@eigenstate=2Eorg wrote:
>I've been working on a client for ACME cert managemnet
>protocol, RFC8555=2E It's what letsencrypt uses, as well
>as several other providers=2E
>
>It works, though there are probably a few tweaks to be
>done before it gets committed, and we should figure out
>how to get DNS challenges working=2E
>
>The code is here until I commit it to 9front:
>
>	http://shithub=2Eus/ori/aclient/HEAD/info=2Ehtml
>
>Before committing:
>
>- I'd like to figure out a way to add a way to
>  add a script to handle the challenge, without
>  making the program clunky=2E
>- I'd like add support for DNS challenges=2E
>- I think the default locations may not be
>  ideal, and I'd like to see if there are
>  better options=2E
>- Get a round of review and thoughts on what
>  it should do differently=2E
>- Maybe rename it to honest/acmed -- Honest
>  Acmed's guaranteed-unsketchy used cert
>  emporium and underwear store=2E
>
>But it's there, and it works=2E
>
>Manpage below:
>
>     ACLIENT(8)                                             ACLIENT(8)
>
>     NAME
>          aclient - acme certificate client
>
>     SYNOPSIS
>          aclient [ -o outdir ] [ -p provider ] [ -a acctkey ] [ c
>          csrkey ] [ w chaldir ] acctname domain
>
>     DESCRIPTION
>          Aclient fetches and renews TLS certificates using the acme
>          protocol=2E  It requires a pregenerated account key and cer-
>          tificate signing key=2E
>
>          There are a number of options=2E
>
>          -o   outdir Specifies that the signed certificate is placed
>               in outdir in place of the default /sys/lib/tls/acme/=2E
>
>          -p   provider Specifies that provider is used as the pro-
>               vider URL, in place of the default https://acme-
>               v02=2Eapi=2Eletsencrypt=2Eorg/directory=2E This must be th=
e
>               directory URL for the desired RFC8555 compliant pro-
>               vider
>
>          -a   acctkey Specifies that acctkey is used to sign requests
>               to the provider in place of the default
>               /sys/lib/tls/acme/$acctname=2Epub=2E The key must be a jwk
>               formatted RSA key=2E
>
>          c    csrkey Specifies that csrkey is used to produce the CSR
>               sent to provider in place of the default
>               /sys/lib/tls/acme/$domain=2Ekey=2E The key must be a plan =
9
>               formatted RSA key suitable for aux/rsa2csr=2E
>
>          w    chaldir Specifies that the challenge is written out to
>               chaldir=2E For HTTP challenges, this defaults to
>               /usr/web/=2Ewell-known/acme-challenge/=2E
>
>     EXAMPLES
>          Before aclient is run, the keys must be generated=2E
>
>               auth/rsagen -t 'service=3Dacme role=3Dsign hash=3Dsha256 a=
cct=3Dme@example=2Eorg' |
>                    tee /sys/lib/acme/me@example=2Eorg=2Epriv |
>                    auth/rsa2jwk > /sys/lib/acme/me@example=2Eorg=2Epub
>               auth/rsagen -t 'service=3Dtls owner=3D*'
>                    >/sys/lib/acme/mydomain=2Ecom=2Ekey
>
>          This need only be run once=2E  Once the keys are generated,
>          they should be loaded into factotum:
>
>               cat /sys/lib/acme/mydomain=2Ecom=2Ekey >/mnt/factotum/ctl
>               cat /sys/lib/acme/me@example=2Eorg=2Epriv >/mnt/factotum/c=
tl
>
>          The certificate for the domain can now be fetched:
>
>               aclient me@example=2Eorg mydomain=2Ecom
>
>     SOURCE
>          /sys/src/cmd/$somewhere/aclient=2Ec
>
>     BUGS
>          Aclient only supports HTTP challenges that placed in static
>          directories=2E  It should add support for DNS challenges, and
>          provide a way for a script to be invoked while handling
>          them=2E
>
>

ironically, instead of acme doing everything, we now have everything being=
 called acme=2E

maybe consider /sys/lib/tls/aclient instead of /sys/lib/tls/acme?*

* I assume the scattered references to /sys/lib/acme were meant to be /sys=
/lib/tls/acme=2E

sl