zerossl - native acmev2 http-01 client for zerossl

Your Libraries & OS Mentoring Libraries
, , ,
1

Hi,

I made this simple weekend project for not having to integrate with things like certibot or acmev2.sh (which btw the project is heavily inspired from).

Besides the crude acmev2 ciphering exchange boilerplate, the library also automatically renews the certificate before the expiration and notifies the application to give it the opportunity to restart anything based on the just renewed certificate.

In short, integrating this library makes an application run on valid certificates indefinitely.

I suppose it would be cool to add letsencrypt and friends … anyhow, link:

The http port to serve the well-known token is hardcoded to port 80, so you need permissions to open port 80 on your device:

sudo echo -en "net.ipv4.ip_unprivileged_port_start=80" > /etc/sysctl.d/port80.conf

If it gets good feedback I can add a config to use a different port so that users can NAT requests to a less contended, non privileged port like 8080 etc…

Cheers & happy new year

2 Likes
2

Some thoughts/questions:

  • Why not support multiple certificates?
  • As it implements ACMEv2, then why it is limited only to ZeroSSL provider? Why not support any host.
  • Why it listens on port 80 on it’s own instead of allowing user to start this on their own which would allow starting this behind reverse proxy or with socket activation to not need extra privileges.
2 Likes
3

As I wrote it’s a weekend project. I can dedicate some spare time if other ppl like it, but it’s very possible an equivalent library exists already and I just accidentally missed it (have I?).

4

Quick search reveals:

5

Fwiw, i’ve added Letsencrypt support and configurable port/address.

I’ve had a shallow check at the two projects you reported. I suppose they are fine but they bring in quite few elefants in the room (phoenix/ecto/cowboy/tesla/opentelemetry).

Also, the second one doesn’t seem to manage renewal for you, and you’ll have to get into orders/challenges etc… with mine it’s as easy as setting the 4 lines of config and go.

1 Like