The first two are reasonably easy, because they're not on the fast path. They can always hit the database to find up to date information.
Discussion
Loading...
Neat, neat. OJF can now create & store ACME directory credentials, nicely encrypted in the database.
But now comes the hard part: obtaining the certificates.
The rough implementation plan for that is:
- Hook into Pingora, and do some debug
println!s. - Try to obtain a certificate from SQL.
- Save a hard-coded cert to SQL to see if it works.
...and that's as far as I've got. I have to figure out how to do the request -> serve challenge -> receive & store part.
Then, I will need to do an in-memory cache, because looking at SQL for every request is a big no no.
2026-02-07T12:25:00.927536Z DEBUG ojf_service_acme::acme: TLS Host is example-1.onlyjunk.fans; loading certs
Baby steps!
❯ curl -s --insecure https://example-1.onlyjunk.fans/ --connect-to example-1.onlyjunk.fans::127.0.0.1:8443
<!doctype html><html><head><title>Demo</title></head><body><h1>Hello world!</h1><img src="no-ai.svg" alt="AI?: FUCK NO"></body></html>⏎
Oooh yeah.
I just realized I can cheat a bit. I don't need something to listen on port 80 all the time! I can spin up a server (under mutex) whenever I need to serve a challenge.
Very crude, not scalable, but works for the time being.
Whheee. Cert is now served from the db. Big leaps!
Lets see if I can one-shot the challenge serving.
1+ more replies (not shown)
@algernon huh that's neat - is step-ca issuing certificates that are publicly trusted via intermediate CA or just privately trusted ones?
@arichtman Privately trusted ones (which was the challenge to overcome, so that instant-acme doesn't bail out)