burble.dn42 / Services / ACME

ACME

burble.dn42 provides an ACME service using an intermediate certificate issued by the dn42 certificate authority and implemented using a HashiCorp Vault cluster to provide a highly available service.

The following ACME challenge types are supported:

  • http-01
  • dns-01
  • tls-alpn-01

dn42 endpoint

The dn42 endpoint serves certificates signed by an intermediate certificate issued by the dn42 certificate authority.

Note that certificates are issued with a validity period of 30 days, which is shorter than most clearnet ACME services.

The recommended interval to check for expiry is 5 days.

Staging endpoint

The staging endpoint can be used for testing and issues junk certificates. The service uses an internal certificate authority that is specific to the staging service and should not be trusted.

The staging service issues short lived certificates with a validity period of a few days.

Certificate Transparency

TODO A simpler process will be provided at a future stage, in the meantime the vault API can be queried manually to list issued certificates.

Vault provides an API for listing issued certificates, however the process for doing this is somewhat complicated if you have not used vault before. The instructions below detail how to interrogate the service using the vault CLI, however it is also possible to run through the same process via the HTTP API.

# The API endpoint to list issued certificates is an authenticated
# endpoint that requires a vault token to access it.
# 
# The burble.dn42 service includes an anonymous login that can be
# used to obtain a suitable token.

# set the VAULT_ADDR environment variable to the ACME service

$ export VAULT_ADDR="https://acme.burble.dn42"

# you can also set VAULT_SKIP_VERIFY=1 if you do not have the
# dn42 certificate authority installed.

# Issue an anonymous token and store it in the VAULT_TOKEN env variable

$ export VAULT_TOKEN=$(vault write -field token auth/approle/login role_id=anonymous)

# now the vault API can be accessed


# list issued certificates

$ vault list dn42/certs

Keys
----
06:72:54:74:02:eb:68:da:62:76:14:92:b4:84:19:36:b1:d1:d0:5c
0c:bb:39:a0:0a:aa:9c:d9:06:e8:9e:87:ff:54:73:c4:a6:42:9c:f0
13:91:4f:f7:3a:0b:ca:38:cd:c6:6e:7d:4d:fb:c5:7c:ed:b0:79:1b
39:5c:46:16:27:d8:f7:30:cc:64:1a:3c:6c:ff:c4:ac:f9:3c:3c:9c
4b:24:32:48:d0:64:55:3b:dd:b3:00:c6:33:2d:0f:3e:eb:d7:50:02
4c:8f:ce:e6:18:7a:05:c1:a3:11:45:c9:3c:34:0f:50:e0:75:6d:fd
5a:03:a9:5b:07:60:d0:fb:25:28:4b:e9:93:a8:22:cd:78:d1:29:b2
5d:26:b4:47:59:0c:0a:e9:88:b6:97:1d:2a:2b:e5:cb:d2:90:34:9e
65:c8:33:07:fc:9a:aa:fd:85:6b:fd:b4:de:29:71:e3:8e:6c:f2:11
68:e1:a6:4a:e1:58:ee:71:c7:a6:12:48:e2:7a:c5:84:c1:7c:21:5e
75:cf:16:f9:06:71:ea:86:1c:51:95:89:c9:1d:ea:a1:eb:f5:6f:83
76:91:6e:6a:23:14:00:7c:5f:c7:de:91:c4:40:73:d9:51:b4:f8:4d

# view an invidual certificate

$ vault read -field certificate "dn42/cert/76:91:6e:6a:23:14:00:7c:5f:c7:de:91:c4:40:73:d9:51:b4:f8:4d"

-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUdpFuaiMUAHxfx96RxEBz2VG0+E0wDQYJKoZIhvcNAQEL
BQAwVTELMAkGA1UEBhMCWEQxDTALBgNVBAoTBGRuNDIxFDASBgNVBAsTC2J1cmJs

...snip...

yait1CFFq4g9/bvsNfIsvN6EJ/BGXqqww6BzKt/ioSLj
-----END CERTIFICATE-----

# human readable output using the step CLI (https://smallstep.com/)

$ vault read -field certificate "dn42/cert/06:72:54:74:02:eb:68:da:62:76:14:92:b4:84:19:36:b1:d1:d0:5c" | step certificate inspect
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 36803586486229131299250018793512622456839458908 (0x672547402eb68da62761492b4841936b1d1d05c)
    Signature Algorithm: SHA256-RSA
        Issuer: C=XD,O=dn42,OU=burble.dn42,CN=burble.dn42 staging ACME
        Validity
            Not Before: Oct 2 18:21:36 2023 UTC
            Not After : Nov 3 18:22:06 2023 UTC
        Subject: CN=drone.git.dn42
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (4096 bit)
                Modulus:
...snip...                
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                Server Authentication
            X509v3 Subject Key Identifier:
                01:4A:7E:02:F3:B7:78:03:66:F9:21:97:4B:31:34:7C:31:DE:BB:86
            X509v3 Authority Key Identifier:
                keyid:94:D1:C3:60:C7:88:81:A6:8C:37:AE:40:42:22:48:6B:5F:36:8F:CC
            Authority Information Access:
                OCSP - URI:https://acme.burble.dn42/v1/dn42/ocsp
                CA Issuers - URI:https://acme.burble.dn42/v1/dn42/ca
            X509v3 Subject Alternative Name:
                DNS:drone.git.dn42
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:https://acme.burble.dn42/v1/dn42/crl
    Signature Algorithm: SHA256-RSA
...snip...

Implementation

The ACME implementation is provided by a 3-node HashiCorp Vault cluster behind the burble.dn42 traefik load balancer. Together they provide a global, high availability service.

The cluster currently runs on the following nodes:

  • ch-zur2
  • de-fra1
  • fr-par1

At any time the cluster has one leader which processes all requests and replicates state to the cluster members. The leader node automatically switches to one of the backup servers should a failure occur.

The traefik load balancer runs health checks against the vault servers and automatically redirects users to the vault cluster leader.

See the vault HA reference architecture for more details.