Let's Encrypt

[RodDaSilvaWCO]

Hi All,

Out of curiosity, are there any plans to integrate automated SSL certificate management into Oqtane via a library like EncryptWeMust or LettuceEncrypt . Seems to me this would be a welcomed featured for anyone trying to stand up a turnkey website using Oqtane in their own infrastructure or on IaaS.

I am considering modifying the Oqtane Server startup code to integrate one of these ACME clients for one of my projects, and was just wondering if I would be duplicating preexisting effort from someone in this community.

Thanks,
Rod

[sbwalker]

@RodDaSilvaWCO one of the high level goals in Oqtane is to minimize third party dependencies... so I do not envision adding this functionality to the core framework. I would suggest that you create a module and make it available via the Marketplace.

[RodDaSilvaWCO]

@sbwalker Agreed. That's what I was originally thinking of doing, and that is why I posted here - because it's not clear to me how to go about it, given this would be an "Admin" module. Is your Admin page (the one that shows all the Admin modules) extensible? I.e.; can we add to it?

Furthermore, the certificate that this module would ultimately generate would need to be configured in the startup code of the Oqtane Server (e.g.; in the DI where Kestrel, IIS or HTTPS.sys are configured). Correct me if I am wrong but I don't thing you can do that with a "module".

IOWs I think such changes would be too low-level to be handle by a module, unless you can think of a way?

FWIW, both of the above libraries I mentioned depend on a NETStandard implementation of ACME called Certes. And the only notable dependency it has is on BouncyCastle for the certificate stuff - a fairly safe dependency IMO. (Certes also depends on Netwonsoft for JSON support, that could be replaced with Microsoft's Json library easy enough).

Thanks,
Rod

[sbwalker]

@RodDaSilvaWCO the main concept behind a framework like Oqtane is that developers should never need to modify the source code or else they risk breaking their future upgrade path (just like Blazor itself or any other framework). This means that all customization must be done via extensions... so to answer your question, yes it is possible to accomplish all of the things you mentioned in a module:

• modules can be automatically added to the Admin menu when they are installed (see https://www.oqtane.org/blog/!/62/routable-modules for one possible option - there are multiple ways this can be done)
• modules can add logic to Startup (see the IServerStartup interface)
• modules can include scheduled jobs (ie. if you wanted to auto renew SSL certificates)
• modules can include third party assemblies which are deployed with the module package

To clarify, it is not really a matter of whether dependencies are "safe" or not, the overarching goal for Oqtane is performance (https://www.oqtane.org/blog/!/20/oqtane-philosophy) so keeping the core framework as lean as possible helps ensure optimal performance and also provides long term maintainability and security benefits. This following post highlights the difference between Oqtane and other frameworks in this regard: #4482 (comment)

[RodDaSilvaWCO]

@sbwalker Thanks for the detailed and thoughtful response. I am happy to hear the requirements can be supported through a module. That is definitely the way to go as I agree with everything you said regarding keeping the framework lean. I will look into this further. Thanks for the pointers.