Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
donnachangstein 2 months ago

OpenBSD has a dead-simple lightweight ACME client (written in C) as part of the base OS. No need to roll your own. I understand it was created because existing alternatives ARE bloatware and against their Unixy philosophy.

Perhaps the author wasn't looking hard enough. It could probably be ported with little effort.

tialaramex 2 months ago | parent | next [-]

When I last checked this client is a classic example of OpenBSD philosophy not understanding why security is the way it is.

This client really wants the easy case where the client lives on the machine which owns the name and is running the web server, and then it uses OpenBSD-specific partitioning so that elements of the client can't easily taint one another if they're defective

But, the ACME protocol would allow actual air gapping - the protocol doesn't care whether the machine which needs a certificate, the machine running an ACME client, and the machine controlling the name are three separate machines, that's fine, which means if we do not use this OpenBSD all-in-one client we can have a web server which literally doesn't do ACME at all, an ACME client machine which has no permission to serve web pages or anything like that, and name servers which also know nothing about ACME and yet the whole system works.

That's more effort than "I just install OpenBSD" but it's how this was designed to deliver security rather than putting all our trust in OpenBSD to be bug-free.

donnachangstein 2 months ago | parent [-]

I said it was dead-simple and you delivered a treatise describing the most complex use case possible. Then maybe it's not for you.

Most software in the OpenBSD base system lacks features on purpose. Their dev team frequently rejects patches and feature requests without compelling reasons to exist. Less features means less places for things to go wrong means less chance of security bugs.

It exists so their simple webserver (also in the base system) has ACME support working out of the box. No third party software to install, no bullshit to configure, everything just works as part of a super compact OS. Which to this day still fits on a single CD-ROM.

Most of all no stupid Rust compiler needed so it works on i386 (Rust cannot self-host on i386 because it's so bloated it runs out of memory, which is why Rust tools are not included in i386).

If your needs exceed this or you adore complexity then feel free to look elsewhere.

zh3 2 months ago | parent | prev | next [-]

Or uacme [0] - litle bit of C that's been running perfectly since endless battery failures with the LE python client made us look for something that would last longer.

[0] https://github.com/ndilieto/uacme

seanw444 2 months ago | parent | prev | next [-]

Yeah, was looking for someone to comment this. I use it. Works great.

rollcat 2 months ago | parent | prev [-]

Came here to mention this.

Man page: https://man.openbsd.org/man1/acme-client.1

Source: https://github.com/openbsd/src/tree/master/usr.sbin/acme-cli...