Make the certificate authority used by a certificate-authority-account configurable
Overview
Currently, Let’s Encrypt (https://acme-v02.api.letsencrypt.org/directory) is the only certificate authority
that can be used in a certificate-authority-account resource.
This issue aims to make it possible for the user to configure attribute certificate-authority for this resource.
Each certificate authority can be associated with a production url and a staging url, both of which have to be configurable.
Issue Metadata
Issue
Dev Contacts
QE Contacts
Testing By
[x] Engineering
[ ] QE
Affected Projects or Components
-
Wildfly Core
-
Elytron
Requirements
Hard Requirements
It must be possible to specify staging url and production url for the attribute certificate-authority in the certificate-authority-account resource.
This will be achieved by adding new resource certificate-authority to the elytron subsystem.
Eg. the configuration will look like the following:
/subsystem=elytron/certificate-authority=Buypass:add(url="https://api.buypass.com/acme/directory",staging-url="https://api.staging-example.com/acme/directory")
/subsystem=elytron/certificate-authority-account=exampleCertificateAuthorityAccount:add(certificate-authority=Buypass,alias=example,key-store=exampleKS)Implementation Plan
Currently, certificate-authority-account contains optional attribute certificate-authority of type STRING.
The default and only allowed value is "LetsEncrypt".
We should be able to specify staging URL and production URL without breaking backwards compatibility.
In the Elytron subsystem, LetsEncrypt is a value of CertificateAuthority enum. This enum contains name, url and staging url.
We can add new certificate-authority resource to the elytron
subsystem with non-optional attributes name, url and optional attribute staging-url.
This way, during the configuration of certificate-authority-account
it will be possible to reference any certificate-authority previously added by attribute name.
The default value for certificate-authority attribute in certificate-authority-account will continue to be "LetsEncrypt" with url "https://acme-v02.api.letsencrypt.org/directory" and staging-url "https://acme-staging-v02.api.letsencrypt.org/directory" (same as before).
If user does not specify certificate-authority or specify it to be "LetsEncrypt", these default URLs will be set internally (certificate-authority with name "LetsEncrypt" will not be added to avoid changes to configuration and to keep backwards compatibility).
If user tries to add certificate-authority resource with name "LetsEncrypt`, an exception will be thrown to avoid discrepancies.
Implementation will require removal of the enum CertificateAuthority and adding of new class CertificateAuthorityDefinition that extends SimpleResourceDefinition. Since AcmeAccountService class (service responsible for a single AcmeAccount instance) uses CertificateAuthority enum, it will be changed to use certificate authority class instead.
Test Plan
Tests will be added to Wildfly Core testsuite under Elytron directory. Tests will cover:
-
operation
write-attributethat will change certificate authority incertificate-authority-account -
adding of
certificate-authorityresource -
adding of
certificate-authorityresource with bothurlandstaging-urlnot specified - will fail -
that operation will fail when trying to use
staging-urlwhen none specified -
that
certificate-authority-accountoperationcreate-accountwon’t fail whenstaging-urlis specified and staging=true -
that exception will be thrown when adding
certificate-authoritywith "LetsEncrypt" name
Community Documentation
certificate-authority resource will be documented in the WildFly documentation under Using the Elytron subsystem.
There is already an example about how to Configure a Let’s Encrypt account.
In this example, a note will be added that LetsEncrypt is the default and therefore can be omitted or be replaced with other certificate authority.
Example of adding certificate-authority resource and passing its name to certificate-authority-account will be showed along with the note.