Deprecating or Transferring Mojo::ACME

By Joel Berger on under ,

While Mojo::ACME was a fun experiment, it has several shortcomings at this point and I’ve officially stopped using it. If someone is interested in maintaining it, and if I’m sufficiently convinced of your credibility since this is a security module after all, I can hand it over. Otherwise I will be marking it as deprecated soon.

Some background

Mojo::ACME was mostly an experiment for me in learning the ACME (v1) protocol. It was a port of the acme-tiny script to mojo with one significant difference. When used as a plugin in your application it actually could listen for a local connection over websocket from the certificate issuance command to prepare for the authentication challenges. This allowed for zero-downtime intervention-free certificate issuance for your application. It was pretty neat and I’m still proud that it worked. Meanwhile the letsencrypt client, later to be renamed certbot, was in a very painful infancy.

So what changed

Well, to put it mildly it was always a little buggy and under tested. That isn’t as bad for this use-case since it would either issue you a certificate or it wouldn’t, but it was always mildly annoying. Over time it has seemed like some of these issues have gotten worse, requests fail and then pass with no changes, etc etc. Finally the ACME v1 protocol was superseded by the v2 protocol which Mojo::ACME does not speak. I don’t have time nor the inclination to learn the new protocol nor to fix the implementation design … quirks.

Also I rarely serve only one application anymore, I have my applications behind nginx as a reverse proxy. Not all of them are even perl, which means I couldn’t use my plugin directly with them even if I’d wanted to do so. To handle this, I was using the example application in the Mojo::ACME dist as a dummy app that I only spun up when I wanted to issue certs. This was now essentially the manual intervention step that I had been trying to avoid before! I couldn’t setup a simple cron to issue the cert periodically.

In the meantime, the upstream sponsored client, certbot, has gotten much better. It is more easily installed, better documented, and (when configured correctly) less intrusive than before too.

As such, after figuring out how to port in my account credentials (which was a bit of a task, ask me if you need help), I have finally ported my home server over to certbot.

The Upshot

Since I’m no longer using it, and since it has the aforementioned flaws, I don’t feel comfortable providing Mojo::ACME as-is. I will either accept a new maintainer (as I said before, with some vetting) or I will be marking it deprecated in the near future. Note that there are several other modules on CPAN that speak ACME v2 as well.

On a positive note, I will also be publishing an article, probably on https://mojolicious.io and/or some other broader venue, on how I configure certbot + nginx, so if that sounds interesting, keep your eyes out for it.

Addendum

This topic came to a head for me because recently I had unknown issues failing validation and not wanting to bother anymore I made the switch to certbot. After posting this article today, I received an automated email from letsencrypt which contained some additional information. Seems their system noticed my failed attempts and it linked me to https://community.letsencrypt.org/t/acme-v1-v2-validating-challenges-from-multiple-network-vantage-points/112253 wherein it mentions that your challenge must survive multiple attempts from their servers, which Mojo::ACME does not do. So there’s yet another flaw that would need to be fixed in order to continue providing it.

Leave a comment

About Joel Berger

user-pic As I delve into the deeper Perl magic I like to share what I can.

More info »