Make openSUSE the first distribution to support LetsEncrypt/ACME natively, in order to provide easy TLS encryption for all services. openSUSE users should be able to

  1. Request certificates for associated host names and keep them up-to-date.
  2. Use these certificate to configure their services (e.g. web, mail, etc).

Proposed Actions

  1. Evaluate yast2-certificate-management for fitness. Decide on whether to extend it or write a new module.
  2. Make use of an existing ACME client. Evaluate e.g. certbot, acmetool, dehydrated for fitness. YaST modules should not provide new functionality, only integration
  3. Extend yast2-http-server, yast2-mail, etc accordingly

Call for collaborators

Knowledge of either Ruby, YaST-Internals and ACME/TLS/X509 is useful, but not strictly necessary. I will give an introduction on the TLS related topics on Tuesday. It would be nice to have a YaST expert on the team.

Stretch Goals

  • Set Security Headers such as HTTP Strict Transport Security.
  • Set Certificate Pinning Header (https://tools.ietf.org/html/rfc7469). This requires creating backup keys to be useful. Might not even be a good idea (https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead).
  • Update the crypto parameters in Apache/Postfix/etc. Lets talk to security folks about that.
  • Discuss whether and how to approach this from the SUSE Manager end.

Validation

A default setup should achieve an A/A+ rating on ssllabs.com

Further Readings

  • https://letsencrypt.org/
  • https://letsencrypt.github.io/acme-spec/
  • https://certbot.eff.org/
  • https://github.com/hlandau/acme
  • https://github.com/lukas2511/dehydrated
  • https://de.wikipedia.org/wiki/HTTPStrictTransport_Security

  • http://yast.github.io/yast-journalctl-tutorial/

Related

Fate #320148.

Comments