HAH!
Today's off to a great start: I made instant-acme work with step-ca, which lets me test things locally a whole lot easier!
Discussion
Loading...
Neat, neat. OJF can now create & store ACME directory credentials, nicely encrypted in the database.
But now comes the hard part: obtaining the certificates.
The rough implementation plan for that is:
- Hook into Pingora, and do some debug
println!s. - Try to obtain a certificate from SQL.
- Save a hard-coded cert to SQL to see if it works.
...and that's as far as I've got. I have to figure out how to do the request -> serve challenge -> receive & store part.
Then, I will need to do an in-memory cache, because looking at SQL for every request is a big no no.
2026-02-07T12:25:00.927536Z DEBUG ojf_service_acme::acme: TLS Host is example-1.onlyjunk.fans; loading certs
Baby steps!
❯ curl -s --insecure https://example-1.onlyjunk.fans/ --connect-to example-1.onlyjunk.fans::127.0.0.1:8443
<!doctype html><html><head><title>Demo</title></head><body><h1>Hello world!</h1><img src="no-ai.svg" alt="AI?: FUCK NO"></body></html>⏎
Oooh yeah.
I just realized I can cheat a bit. I don't need something to listen on port 80 all the time! I can spin up a server (under mutex) whenever I need to serve a challenge.
Very crude, not scalable, but works for the time being.
Whheee. Cert is now served from the db. Big leaps!
Lets see if I can one-shot the challenge serving.
~29 more replies (not shown)
In short, OJF is now able to automatically obtain ACME certificates, only opening port 80 for the duration of the challenge.
The code behind it is horrific, messy, and full of unwraps and lack of error handling, and it will fall apart the very moment I try to obtain two certificates at the same time.
It also looks up the cert from SQL on every request, which is a colossal waste of resources.
But the idea is now validated, I can proceed to cleaning it up, and making it behave well.
If all goes well, the demo instance will be hosted behind itself by tonight.
There are a whole lot of bugs here, like the port80 server never winding down, a big fat lack of any kind of validation anywhere.... those kind of stuff.
Well, it's not gonna be tonight. There's so much cleaning up left to do.
The good news is, most of the cleaning up is localized to a single service crate.
On the flip side, the proxy now supports HTTP2.
@algernon huh that's neat - is step-ca issuing certificates that are publicly trusted via intermediate CA or just privately trusted ones?
@arichtman Privately trusted ones (which was the challenge to overcome, so that instant-acme doesn't bail out)