SSL in Aegir is currently confusing to setup, requires command-line access to deploy keys, and is fairly fragile. This is reflected in lots of open issues relating to SSL in our various queues: https://www.drupal.org/project/issues?text=ssl&projects=provision%2C+hos...

We need to fix this; ideally for Aegir 3. I propose consolidating some of these issues and taking the following approach:

  1. Move to SNI exclusively
  2. Drop IP address handling (almost) entirely
  3. Provide front-end forms for uploading or pasting certificate files
  4. Validate these certificates before attempting to deploy them
  5. Provide useful, up-to-date docs for SSL management in Aegir

(1) and (2) should greatly simplify SSL deployments, and should probably be the priority. According to this comment, there may not be much left to actually do here.

(3) should simply provide something like: SSL form

(4) would might require a bit more work, as I haven't yet found a native PHP method to validate certs. This probably just needs a bit more digging. On the backend, we could just make a system call to `openssl`, but we probably want to avoid that and use some of PHP's openssl_*() functions instead.

(5) would also be greatly simplified by (1) and (2).

CommentFileSizeAuthor
AddListener_SSLCertificate.png103.62 KBergonlogic
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

We discussed this in IRC, and concluded that there'd be little downside to moving in this direction. Read the log here: https://hefring.mig5.net/bot/log/aegir/2015-04-07#T561565

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Adding related issues list. Let's try to de-dupe these, and fix them along the way.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Adding related issues list. Let's try to de-dupe these, and fix them along the way.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Adding related issues list. Let's try to de-dupe these, and fix them along the way.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Adding related issues list. Let's try to de-dupe these, and fix them along the way.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

I merged the SNI branch into 7.x-3.x this morning.

I tried linking a bunch of SSL issues, but d.o failed, as can be seen by the useless comments above. Arrgh! Anyway, just use the link in the description to a list of all projects mentioning SSL.

Also, as per the discussion on IRC yesterday, (4) will likely just make a system() call to openssl, rather than trying to do something similar ourselves.

valkum’s picture

valkum CreditAttribution: valkum commented

(4) There is http://phpseclib.sourceforge.net/x509/intro.html for that purpose i think.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Issue tags: +aegir-ssl
helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Status: Active » Closed (outdated)

This is now being worked on in hosting_https, see https://gitlab.com/aegir/hosting_https/issues/29 for release planning.