HAH!
Today's off to a great start: I made instant-acme work with step-ca, which lets me test things locally a whole lot easier!
Discussion
Loading...
Neat, neat. OJF can now create & store ACME directory credentials, nicely encrypted in the database.
But now comes the hard part: obtaining the certificates.
The rough implementation plan for that is:
- Hook into Pingora, and do some debug
println!s. - Try to obtain a certificate from SQL.
- Save a hard-coded cert to SQL to see if it works.
...and that's as far as I've got. I have to figure out how to do the request -> serve challenge -> receive & store part.
Then, I will need to do an in-memory cache, because looking at SQL for every request is a big no no.
2026-02-07T12:25:00.927536Z DEBUG ojf_service_acme::acme: TLS Host is example-1.onlyjunk.fans; loading certs
Baby steps!
❯ curl -s --insecure https://example-1.onlyjunk.fans/ --connect-to example-1.onlyjunk.fans::127.0.0.1:8443
<!doctype html><html><head><title>Demo</title></head><body><h1>Hello world!</h1><img src="no-ai.svg" alt="AI?: FUCK NO"></body></html>⏎
Oooh yeah.
I just realized I can cheat a bit. I don't need something to listen on port 80 all the time! I can spin up a server (under mutex) whenever I need to serve a challenge.
Very crude, not scalable, but works for the time being.
Whheee. Cert is now served from the db. Big leaps!
Lets see if I can one-shot the challenge serving.
1+ more replies (not shown)
@algernon huh that's neat - is step-ca issuing certificates that are publicly trusted via intermediate CA or just privately trusted ones?
@arichtman Privately trusted ones (which was the challenge to overcome, so that instant-acme doesn't bail out)