Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support short-term cert expiry #93

Open
twifkak opened this issue Sep 13, 2018 · 5 comments
Open

Support short-term cert expiry #93

twifkak opened this issue Sep 13, 2018 · 5 comments
Assignees

Comments

@twifkak
Copy link
Member

twifkak commented Sep 13, 2018

Currently, amppkg only loads the cert file at startup. If it expires while the packager is running, the packager continues to sign with it and serve it. Instead, it should attempt to reload automatically starting a few days before expiry, and continuing at some regular interval until no longer imminently expiring. If the cert is expired, it should stop signing exchanges, and log a warning.

In addition, it should serve the cert-url with an http expiry no longer than the cert expiry (as a follow-up to #85).

@twifkak twifkak added this to the v4+ milestone Sep 13, 2018
@twifkak
Copy link
Member Author

twifkak commented Feb 21, 2019

This will be much more important as of WICG/webpackage#383.

@twifkak twifkak modified the milestones: v6+, v4: Ease of deployment Feb 21, 2019
@twifkak
Copy link
Member Author

twifkak commented Feb 21, 2019

Restarting the server every 90 days is an option. Perhaps not a particularly pleasant one, but perhaps not so bad in this world of coordinated containers.

@twifkak
Copy link
Member Author

twifkak commented Feb 22, 2019

Cert renewals will have a different cert-sha256 and hence a different cert-url and generate different signatures. If so, we should decide whether to continue serving the old cert at the old URL (up until expiry). We may get a timeline like:

  1. AMP cache requests SXG, amppkg provides.
  2. amppkg has new cert.
  3. AMP cache requests cert-url, amppkg 404s.

There may be an arbitrary amount of time between (1) and (3), though likely usually small. Though the AMP cache is free to respond to the 404 by doing a GOTO 1.

I'm leaning to 'no' for simplicity, since AMP Caches have some workarounds available.

Alternatively, maybe we should reconsider data: cert-urls.

@twifkak
Copy link
Member Author

twifkak commented Aug 10, 2019

Update:

  • We should support hosting old and new cert at same time. (Does this mean we'll need to change the toml to allow a list of cert paths?)
  • Optional: Allow adding new cert without restarting. (Either inotify or SIGUSR1.)
  • Required, but later is ok: Integrate an ACME client library.

@twifkak twifkak self-assigned this Jun 5, 2020
@twifkak twifkak changed the title Support short-term cert expiry Add integration tests for ACME and OCSP renewals Jun 5, 2020
@twifkak twifkak added the fixit label Jun 5, 2020
@twifkak twifkak changed the title Add integration tests for ACME and OCSP renewals Support short-term cert expiry Jun 5, 2020
@twifkak twifkak removed the fixit label Jun 5, 2020
@twifkak twifkak assigned banaag and unassigned twifkak Jun 5, 2020
@twifkak
Copy link
Member Author

twifkak commented Jun 5, 2020

Sorry for the noise; changing things back since I see from the comments there is other stuff than just the tests. Split the tests off into #433 since that seems fixit-sized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants