tobast/tobast.fr-hugo
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

WIP: Blog: ACME

Browse source
This commit is contained in:
Théophile Bastian 2024-04-10 18:34:58 +02:00
parent f0dc1483a4
commit 3312688d1a
7 changed files with 50 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
content/blog/acme_infrastructure_in_private_lan.md Normal file
View file

@ -0,0 +1,33 @@
---
title: "Infrastructure for ACME (LetsEncrypt) certificates in a private LAN"
date: 2024-04-10
draft: false
'blog/tags':
- sysadmin
- Échirolles
---
[LetsEncrypt](https://letsencrypt.org) --- the non-profit certification
authority that certifies a vast portion of the web --- doesn't really needs
introduction anymore. They provide free SSL certificates, and even better, they
do so using their standardized automated protocol, ACME
([RFC 8555](https://datatracker.ietf.org/doc/html/rfc8555)).
When a client requests a certificate through ACME for a domain, it will be
handed a token --- a random string --- by the server. This token (the
challenge) must be temporarily served by the client to prove that it indeed
controls the domain. This automated validation uses either `http-01` or
`dns-01` challenges. The former requires the client to serve the token via http
at a certain URL. The latter requires the client to register a `TXT` DNS entry
under the domain bearing the token. The `http-01` process is clearly easier to
implement, and makes ACME straightforward in many cases.
Assume, however, that the machine trying to obtain a certificate is in a
private LAN --- it has no public IP address, or should remain completely
firewalled from the Internet, including the ACME server. In this case, the
`http-01` challenge cannot be used, and `dns-01` must be used instead. Many
articles online give instructions on how to make Certbot or other ACME clients
update DNS records. However, I am really not comfortable with giving all of my
applicative servers write-access to my DNS zones.

10
content/blog/test01.md
View file

@ -1,10 +0,0 @@
---
title: Test 1
date: 2023-04-01
draft: true
"blog/tags":
- test
- misc
---
Bonjour, ceci est un test.

10
content/blog/test02.md
View file

@ -1,10 +0,0 @@
---
title: Test 2
date: 2023-05-02
draft: true
"blog/tags":
- test
- second
---
Bonjour, ceci est également un test.

9
content/blog/test_long.md
View file

@ -1,9 +0,0 @@
---
title: Ceci, par rapport aux autres, est un test avec un titre d'une longueur fort surprenante.
date: 2023-05-12
draft: true
"blog/tags":
- test
---
Bonjour, ceci est également un test.

8
scss/_blog.scss
View file

@ -97,4 +97,12 @@
padding-left: 15px; padding-left: 15px;
margin-left: 25px; margin-left: 25px;
} }
:not(pre) > code {
background-color: $icode_bg_color;
padding: 2px 4px;
border-radius: 4px;
font-size: 85%;
color: $icode_fg_color;
}
} }

2
scss/_params.scss
View file

@ -5,6 +5,8 @@ $link_color: #07a;
$fg_color: #555; $fg_color: #555;
$fg_color_light: #555555bb; $fg_color_light: #555555bb;
$head_bg_color: #060033; $head_bg_color: #060033;
$icode_fg_color: $fg_color;
$icode_bg_color: #e1e1e1;
$resp_small: 1350px; $resp_small: 1350px;
$resp_vsmall: 1000px; $resp_vsmall: 1000px;

7
static/css/style.css
View file

@ -69,6 +69,13 @@
padding-left: 15px; padding-left: 15px;
margin-left: 25px; } margin-left: 25px; }
.blog :not(pre) > code {
background-color: #e1e1e1;
padding: 2px 4px;
border-radius: 4px;
font-size: 85%;
color: #555; }
html { html {
background-color: white; } background-color: white; }