)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11290,"name":"Gaudenz Steinlin","email":"gaudenz.steinlin@cloudscale.ch","username":"gaudenz"},"change_message_id":"ed875cdaf6dfff463f6fca2ded52cf4ffda4bb7a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"dc76a4bd_8be72db8","updated":"2023-03-28 19:38:51.000000000","message":"I stumbled upon this spec and have some comments from a user and operator perspective. Thanks for working on this. Looking forward to use LE certificates with Octavia!","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"f36e26c020649fecf61b7e07959eea7fb57e124b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"388e9697_681e1d51","in_reply_to":"dc76a4bd_8be72db8","updated":"2023-03-29 11:33:42.000000000","message":"Ack","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"f847463e_0eba3ab3","updated":"2023-04-21 23:04:35.000000000","message":"I have added a few more comments to the updated version of this spec. Good progress!","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"534e21f9d813ca025c6be697713afb3bdaf871d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"027e837b_b3ed9aff","updated":"2023-11-20 13:20:56.000000000","message":"-1 in order to increase the visibility of my previous comments. Apart from that it LGTM.","commit_id":"80c2f862252641355fd5e91548817a37fc2fc444"},{"author":{"_account_id":20498,"name":"Spyros Trigazis","email":"spyridon.trigazis@cern.ch","username":"strigazi"},"change_message_id":"7e9bfb11acf337fcbada2ab83eae375a5ed0dfe7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":16,"id":"83d336ee_fe05d5e8","updated":"2023-11-17 12:19:10.000000000","message":"The proposed design looks very good. Happy to help with testing!","commit_id":"80c2f862252641355fd5e91548817a37fc2fc444"}],"specs/version1.1/acmev2.rst":[{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"526360f7a47ad57a210f451fc054d037d1876ba9","unresolved":true,"context_lines":[{"line_number":50,"context_line":"  \"new-nonce\", \"new-account\", \"new-order\", and \"revoke-cert\" endpoints"},{"line_number":51,"context_line":"- 40 reqs per sec for \"/directory/\" and \"/acme\" directory and subdirs"},{"line_number":52,"context_line":"- 10 accounts creation per 3 hours per IP address"},{"line_number":53,"context_line":"- 500 accounts per IP address within IPv6 /48 per 3 hours:"},{"line_number":54,"context_line":"  `too many registrations for this IP` [OR]"},{"line_number":55,"context_line":"  `too many registrations for this IP range`"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"bb1332d5_a5296e83","line":53,"range":{"start_line":53,"start_character":19,"end_line":53,"end_character":29},"updated":"2023-10-24 12:03:24.000000000","message":"\"IP range\". Also, I guess you wanted to combine this with the previous bullet point. In that case it should not have its own bullet point.","commit_id":"80c2f862252641355fd5e91548817a37fc2fc444"},{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"526360f7a47ad57a210f451fc054d037d1876ba9","unresolved":true,"context_lines":[{"line_number":354,"context_line":"    - String"},{"line_number":355,"context_line":"    - /"},{"line_number":356,"context_line":"    - True"},{"line_number":357,"context_line":"    - List of Server Alternative Name (eg: test.eu,test.com.test.us)"},{"line_number":358,"context_line":"  * - challenge_type"},{"line_number":359,"context_line":"    - String"},{"line_number":360,"context_line":"    - HTTP-01"}],"source_content_type":"text/x-rst","patch_set":16,"id":"a3d4845f_18f474e7","line":357,"range":{"start_line":357,"start_character":59,"end_line":357,"end_character":60},"updated":"2023-10-24 12:03:24.000000000","message":",?","commit_id":"80c2f862252641355fd5e91548817a37fc2fc444"}],"specs/version1.1/letsencrypt.rst":[{"author":{"_account_id":11290,"name":"Gaudenz Steinlin","email":"gaudenz.steinlin@cloudscale.ch","username":"gaudenz"},"change_message_id":"ed875cdaf6dfff463f6fca2ded52cf4ffda4bb7a","unresolved":true,"context_lines":[{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"Octavia users will be able to manage Let\u0027s encrypt HTTPS certificates."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"- 2 new API endpoints (/octavia/lets_encrypt)"},{"line_number":26,"context_line":"    - ``/accounts``: Manage ACME accounts (create/update/delete)"},{"line_number":27,"context_line":"    - ``/certs``: Manage Let\u0027s encrypt certificates (issue/renew/revoke)"},{"line_number":28,"context_line":"- Add new Octavia Worker type for Let\u0027s Encrypt tasks"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8d94a20b_b07b2af0","line":25,"updated":"2023-03-28 19:38:51.000000000","message":"I suggest to not include the product name (let\u0027s encrypt) into the API and to use the name of the certificate management protocol (ACME).\n\nIt would be nice to also support other ACME implementations besides Let\u0027s Encrypt. Either operator configurable or even chosen by the user when creating the ACME account.","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"bcb17dda88960246b187c2c83188ab5eed772d00","unresolved":false,"context_lines":[{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"Octavia users will be able to manage Let\u0027s encrypt HTTPS certificates."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"- 2 new API endpoints (/octavia/lets_encrypt)"},{"line_number":26,"context_line":"    - ``/accounts``: Manage ACME accounts (create/update/delete)"},{"line_number":27,"context_line":"    - ``/certs``: Manage Let\u0027s encrypt certificates (issue/renew/revoke)"},{"line_number":28,"context_line":"- Add new Octavia Worker type for Let\u0027s Encrypt tasks"}],"source_content_type":"text/x-rst","patch_set":3,"id":"89e61ac3_4d7c75d9","line":25,"in_reply_to":"8d94a20b_b07b2af0","updated":"2023-03-29 11:33:22.000000000","message":"Ack","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":11290,"name":"Gaudenz Steinlin","email":"gaudenz.steinlin@cloudscale.ch","username":"gaudenz"},"change_message_id":"ed875cdaf6dfff463f6fca2ded52cf4ffda4bb7a","unresolved":true,"context_lines":[{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Data model impact"},{"line_number":117,"context_line":"-----------------"},{"line_number":118,"context_line":"1. Create 2 new tables: **le_accounts**, **le_certs**."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"le_accounts"},{"line_number":121,"context_line":"^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":3,"id":"58ea0b6b_8b0eb5c0","line":118,"updated":"2023-03-28 19:38:51.000000000","message":"Like above I propose to rename these to acme_accounts and acme_certs.","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"bcb17dda88960246b187c2c83188ab5eed772d00","unresolved":false,"context_lines":[{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Data model impact"},{"line_number":117,"context_line":"-----------------"},{"line_number":118,"context_line":"1. Create 2 new tables: **le_accounts**, **le_certs**."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"le_accounts"},{"line_number":121,"context_line":"^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8649ecd5_8f2ad80b","line":118,"in_reply_to":"58ea0b6b_8b0eb5c0","updated":"2023-03-29 11:33:22.000000000","message":"Done","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":11290,"name":"Gaudenz Steinlin","email":"gaudenz.steinlin@cloudscale.ch","username":"gaudenz"},"change_message_id":"ed875cdaf6dfff463f6fca2ded52cf4ffda4bb7a","unresolved":true,"context_lines":[{"line_number":759,"context_line":"- OpenSSL"},{"line_number":760,"context_line":"    https://www.pyopenssl.org/en/latest/install.html#supported-openssl-versions"},{"line_number":761,"context_line":"- Open TCP Port 80"},{"line_number":762,"context_line":"- Root privileges to start a web server listening on TCP 80 (HTTP-01 challenge)"},{"line_number":763,"context_line":""},{"line_number":764,"context_line":"Python"},{"line_number":765,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f5a78998_a3b7f308","line":762,"updated":"2023-03-28 19:38:51.000000000","message":"As shown above in the diagram this needs to run on the amphora and either integrated into haproxy or configured in haproxy to forward to a daemon either also running on the amphora or on the Octavia worker.","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"bcb17dda88960246b187c2c83188ab5eed772d00","unresolved":false,"context_lines":[{"line_number":759,"context_line":"- OpenSSL"},{"line_number":760,"context_line":"    https://www.pyopenssl.org/en/latest/install.html#supported-openssl-versions"},{"line_number":761,"context_line":"- Open TCP Port 80"},{"line_number":762,"context_line":"- Root privileges to start a web server listening on TCP 80 (HTTP-01 challenge)"},{"line_number":763,"context_line":""},{"line_number":764,"context_line":"Python"},{"line_number":765,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"465bb2fd_813c23cf","line":762,"in_reply_to":"f5a78998_a3b7f308","updated":"2023-03-29 11:33:22.000000000","message":"Ack","commit_id":"3050d3cdb7082ffbb9ec6cbd1e9d19b706c4c2ec"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":60,"context_line":"How \u0027http-01\u0027 Let\u0027s Encrypt ACMEv2 challenge works ?"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"- ACMEv2 Account"},{"line_number":63,"context_line":"  1. Create or Import ACMEv2 account private key (RSA JWK)"},{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b7515127_68121c6f","line":63,"updated":"2023-04-14 09:09:33.000000000","message":"nit: this is not rendered correctly, you can verify the output in the CI job: https://b649c19a68edc56feea8-49130948639ed40b079dd8450de896f5.ssl.cf2.rackcdn.com/877281/5/check/openstack-tox-docs/c4d4a52/docs/contributor/specs/version1.1/letsencrypt.html","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":60,"context_line":"How \u0027http-01\u0027 Let\u0027s Encrypt ACMEv2 challenge works ?"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"- ACMEv2 Account"},{"line_number":63,"context_line":"  1. Create or Import ACMEv2 account private key (RSA JWK)"},{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2f3d76ac_19d52555","line":63,"in_reply_to":"90ae798a_9b6cc83d","updated":"2023-04-14 10:41:58.000000000","message":"Done","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":60,"context_line":"How \u0027http-01\u0027 Let\u0027s Encrypt ACMEv2 challenge works ?"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"- ACMEv2 Account"},{"line_number":63,"context_line":"  1. Create or Import ACMEv2 account private key (RSA JWK)"},{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"90ae798a_9b6cc83d","line":63,"in_reply_to":"b7515127_68121c6f","updated":"2023-04-14 09:37:20.000000000","message":"ACK, i\u0027ll fix it.","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"},{"line_number":67,"context_line":"  1. Create domain private key and CSR"},{"line_number":68,"context_line":"  2. Select HTTP-01 within offered challenges by the CA server"},{"line_number":69,"context_line":"  3. Set up http challenge resource and standalone web server"},{"line_number":70,"context_line":"  4. Issue/Renew certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1674d58c_c992943c","line":67,"range":{"start_line":67,"start_character":5,"end_line":67,"end_character":38},"updated":"2023-04-14 09:09:33.000000000","message":"question: is it a feature provided by let\u0027s encrypt? or does the user create the key and the csr on a workstation/server?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"},{"line_number":67,"context_line":"  1. Create domain private key and CSR"},{"line_number":68,"context_line":"  2. Select HTTP-01 within offered challenges by the CA server"},{"line_number":69,"context_line":"  3. Set up http challenge resource and standalone web server"},{"line_number":70,"context_line":"  4. Issue/Renew certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a45faf2f_bee486b6","line":67,"range":{"start_line":67,"start_character":5,"end_line":67,"end_character":38},"in_reply_to":"1674d58c_c992943c","updated":"2023-04-14 09:37:20.000000000","message":"It\u0027s not a feature provided by let\u0027s encrypt, this is the normal workflow to get a new certs from an ACMEv2 provider.\n\nsee: https://github.com/certbot/certbot/blob/383a42851c2b2647364a1c2312003082557e16f0/acme/examples/http01_example.py","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":64,"context_line":"  2. Register account and accept TOS or use existing registration"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"- ACMEv2 Certificate"},{"line_number":67,"context_line":"  1. Create domain private key and CSR"},{"line_number":68,"context_line":"  2. Select HTTP-01 within offered challenges by the CA server"},{"line_number":69,"context_line":"  3. Set up http challenge resource and standalone web server"},{"line_number":70,"context_line":"  4. Issue/Renew certificate"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0ac4f529_1e023596","line":67,"range":{"start_line":67,"start_character":5,"end_line":67,"end_character":38},"in_reply_to":"a45faf2f_bee486b6","updated":"2023-04-14 10:41:58.000000000","message":"Done","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":90,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":91,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":92,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":93,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":94,"context_line":"   /.well-known/acme-challenge/` route, to check if it works"},{"line_number":95,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":96,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":5,"id":"479d83c9_010436f9","line":94,"range":{"start_line":93,"start_character":18,"end_line":94,"end_character":38},"updated":"2023-04-14 09:09:33.000000000","message":"I think it may be a bit tricky, the octavia-worker doesn\u0027t require to have a route to the external network (then to the vip). Controller may be isolated.","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"95175f1a3b8bbc8aa9b23de97a88a47c38503fee","unresolved":true,"context_lines":[{"line_number":90,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":91,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":92,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":93,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":94,"context_line":"   /.well-known/acme-challenge/` route, to check if it works"},{"line_number":95,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":96,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":5,"id":"93424b66_0182b0f4","line":94,"range":{"start_line":93,"start_character":18,"end_line":94,"end_character":38},"in_reply_to":"238a8de1_7f43edac","updated":"2023-04-14 09:55:49.000000000","message":"no suggestion ATM, but maybe we need to explicitly write it in the doc.\n\nstep 2. (worker queries the provider\u0027s DNS) would also require external connectivity","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":90,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":91,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":92,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":93,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":94,"context_line":"   /.well-known/acme-challenge/` route, to check if it works"},{"line_number":95,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":96,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":5,"id":"238a8de1_7f43edac","line":94,"range":{"start_line":93,"start_character":18,"end_line":94,"end_character":38},"in_reply_to":"479d83c9_010436f9","updated":"2023-04-14 09:37:20.000000000","message":"I would like to ensure the amphora will be able to serve the token to the ACMEv2 CA, before issuing cert and start the challenge.\n\nDo you have any suggestion to make that check ?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":90,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":91,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":92,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":93,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":94,"context_line":"   /.well-known/acme-challenge/` route, to check if it works"},{"line_number":95,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":96,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c43aae17_0750a5a5","line":94,"range":{"start_line":93,"start_character":18,"end_line":94,"end_character":38},"in_reply_to":"93424b66_0182b0f4","updated":"2023-04-14 10:41:58.000000000","message":"Done","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"},{"line_number":98,"context_line":"12. Octavia Worker store `fullchain.pem` to Barbican"},{"line_number":99,"context_line":"    (using Octavia Barbican private account)"},{"line_number":100,"context_line":"13. Octavia Worker update Octavia Database"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4c38699c_c09ff581","line":100,"range":{"start_line":100,"start_character":19,"end_line":100,"end_character":42},"updated":"2023-04-14 09:09:33.000000000","message":"what is updated here? the certs ref in the listener object?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"},{"line_number":98,"context_line":"12. Octavia Worker store `fullchain.pem` to Barbican"},{"line_number":99,"context_line":"    (using Octavia Barbican private account)"},{"line_number":100,"context_line":"13. Octavia Worker update Octavia Database"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"}],"source_content_type":"text/x-rst","patch_set":5,"id":"99ebee29_bd8ae0c5","line":100,"range":{"start_line":100,"start_character":19,"end_line":100,"end_character":42},"in_reply_to":"4c38699c_c09ff581","updated":"2023-04-14 09:37:20.000000000","message":"It updates the Cert info (in acme_certs table) like:\n\n- fullchain_path (path to the uploaded issued ACMEv2 fullchain cert, in Barbican)\n- status (valid/failed)\n- expire_at\n- created_at\n- load_balancer_id\n\nAnd also the listener objects to serve the new fullchain.","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":97,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"},{"line_number":98,"context_line":"12. Octavia Worker store `fullchain.pem` to Barbican"},{"line_number":99,"context_line":"    (using Octavia Barbican private account)"},{"line_number":100,"context_line":"13. Octavia Worker update Octavia Database"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5e0ab53f_02fb637f","line":100,"range":{"start_line":100,"start_character":19,"end_line":100,"end_character":42},"in_reply_to":"99ebee29_bd8ae0c5","updated":"2023-04-14 10:41:58.000000000","message":"Done","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"},{"line_number":104,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":105,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":106,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)"},{"line_number":107,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"}],"source_content_type":"text/x-rst","patch_set":5,"id":"308ee826_284bc363","line":104,"range":{"start_line":104,"start_character":11,"end_line":104,"end_character":17},"updated":"2023-04-14 09:09:33.000000000","message":"could be \"Octavia Housekeeping\"?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"},{"line_number":104,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":105,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":106,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)"},{"line_number":107,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fcd5fb0e_0a081cb5","line":104,"range":{"start_line":104,"start_character":11,"end_line":104,"end_character":17},"in_reply_to":"308ee826_284bc363","updated":"2023-04-14 09:37:20.000000000","message":"I was thinking a new set of tasks gathered in a dedicated ACMEv2 flow, but we could use housekeeping, i don\u0027t have opinions on it, need your advices.","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Renew"},{"line_number":103,"context_line":"^^^^^"},{"line_number":104,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":105,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":106,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)"},{"line_number":107,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"}],"source_content_type":"text/x-rst","patch_set":5,"id":"165286db_96d238c3","line":104,"range":{"start_line":104,"start_character":11,"end_line":104,"end_character":17},"in_reply_to":"fcd5fb0e_0a081cb5","updated":"2023-04-14 10:41:58.000000000","message":"Ack","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":175,"context_line":"      - False"},{"line_number":176,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":177,"context_line":"    * - fullchain_path"},{"line_number":178,"context_line":"      - String(256)"},{"line_number":179,"context_line":"      - /"},{"line_number":180,"context_line":"      - True"},{"line_number":181,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":5,"id":"411fdd2e_a67eed13","line":178,"range":{"start_line":178,"start_character":8,"end_line":178,"end_character":14},"updated":"2023-04-14 09:09:33.000000000","message":"most of the non-free-form strings in Octavia are also included in the DB (for instance there\u0027s a protocol table, a provisioning_status table,etc..),\n\nhttps://opendev.org/openstack/octavia/src/branch/master/octavia/db/models.py#L323-L326","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":175,"context_line":"      - False"},{"line_number":176,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":177,"context_line":"    * - fullchain_path"},{"line_number":178,"context_line":"      - String(256)"},{"line_number":179,"context_line":"      - /"},{"line_number":180,"context_line":"      - True"},{"line_number":181,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5d691ae2_8f340fd1","line":178,"range":{"start_line":178,"start_character":8,"end_line":178,"end_character":14},"in_reply_to":"411fdd2e_a67eed13","updated":"2023-04-14 09:37:20.000000000","message":"I don\u0027t really understand that point, could you give me more inputs to have a better view of what i have to split/do ?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"95175f1a3b8bbc8aa9b23de97a88a47c38503fee","unresolved":true,"context_lines":[{"line_number":175,"context_line":"      - False"},{"line_number":176,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":177,"context_line":"    * - fullchain_path"},{"line_number":178,"context_line":"      - String(256)"},{"line_number":179,"context_line":"      - /"},{"line_number":180,"context_line":"      - True"},{"line_number":181,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7b26e567_08da5686","line":178,"range":{"start_line":178,"start_character":8,"end_line":178,"end_character":14},"in_reply_to":"5d691ae2_8f340fd1","updated":"2023-04-14 09:55:49.000000000","message":"Sorry I didn\u0027t point to the correct line, I was talking about the provider string (and it could also apply to the status string).\nWhen we have predefined strings in Octavia (for instance, TCP UDP HTTP for the protocols), we create a dedicated DB table with those strings.\nand we add a foreign key to the tables that use them.\nIn your case, we would create an acme_provider table, which contains \"letsencrypt\" with a description, and provider String(256) would have a FK on this table.\nIt means that when octavia inserts a new entry in the DB, the DB validates that the foreign key exists (don\u0027t need to test it in the python code)\n(I agree this is an implementation detail, maybe we don\u0027t need it in the spec)_","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":175,"context_line":"      - False"},{"line_number":176,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":177,"context_line":"    * - fullchain_path"},{"line_number":178,"context_line":"      - String(256)"},{"line_number":179,"context_line":"      - /"},{"line_number":180,"context_line":"      - True"},{"line_number":181,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9c07d9e3_8b67ae02","line":178,"range":{"start_line":178,"start_character":8,"end_line":178,"end_character":14},"in_reply_to":"7b26e567_08da5686","updated":"2023-04-14 10:41:58.000000000","message":"Done","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"9269eb37720eed6a9118c3c064a7f66480fd9d22","unresolved":true,"context_lines":[{"line_number":469,"context_line":"---------------------"},{"line_number":470,"context_line":"New set of commands in ``openstacksdk`` and ``python-octaviaclient``."},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"Patch in octavialib ?"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Performance Impact"},{"line_number":475,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"915a0779_51b93d89","line":472,"range":{"start_line":472,"start_character":0,"end_line":472,"end_character":21},"updated":"2023-04-14 09:09:33.000000000","message":"good question, including the data structures/interfaces in octavia-lib would make it implementable by other providers, and not specific to the amphora provider.\n\nin my opinion, new API endpoints should not be amphora-driver specific, so it should be available in octavia-lib too","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"95175f1a3b8bbc8aa9b23de97a88a47c38503fee","unresolved":true,"context_lines":[{"line_number":469,"context_line":"---------------------"},{"line_number":470,"context_line":"New set of commands in ``openstacksdk`` and ``python-octaviaclient``."},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"Patch in octavialib ?"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Performance Impact"},{"line_number":475,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"df464655_cbd36221","line":472,"range":{"start_line":472,"start_character":0,"end_line":472,"end_character":21},"in_reply_to":"3a6b513d_ca6d2574","updated":"2023-04-14 09:55:49.000000000","message":"octavia-lib contains all the constants that are shared between octavia/octavia-tempest-plugin/3rd party providers:\nhttps://opendev.org/openstack/octavia-lib/src/branch/master/octavia_lib/common/constants.py\n\nit also defines common data object for the Octavia resources (for instance your acme_cert)\nhttps://opendev.org/openstack/octavia-lib/src/branch/master/octavia_lib/api/drivers/data_models.py#L206","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"b53235a946d752585f6ddf5fc9c76afb7954ba84","unresolved":true,"context_lines":[{"line_number":469,"context_line":"---------------------"},{"line_number":470,"context_line":"New set of commands in ``openstacksdk`` and ``python-octaviaclient``."},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"Patch in octavialib ?"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Performance Impact"},{"line_number":475,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a6b513d_ca6d2574","line":472,"range":{"start_line":472,"start_character":0,"end_line":472,"end_character":21},"in_reply_to":"915a0779_51b93d89","updated":"2023-04-14 09:37:20.000000000","message":"I don\u0027t really know this package, what kind of changes should i add ?","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"d9eccba0cb75ef3cf274c2f63f1dbf386841322e","unresolved":false,"context_lines":[{"line_number":469,"context_line":"---------------------"},{"line_number":470,"context_line":"New set of commands in ``openstacksdk`` and ``python-octaviaclient``."},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"Patch in octavialib ?"},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Performance Impact"},{"line_number":475,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"48b5d6ee_c2836d32","line":472,"range":{"start_line":472,"start_character":0,"end_line":472,"end_character":21},"in_reply_to":"df464655_cbd36221","updated":"2023-04-14 10:41:58.000000000","message":"Ack","commit_id":"ed14f10c42b892744f42f1001badfdc105ff0217"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":21,"context_line":"Proposed change"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"| Octavia users will be able to manage ACMEv2 HTTPS certificates."},{"line_number":24,"context_line":"| The implemented ACMEv2 provider will be Let\u0027s Encrypt and the"},{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f3019911_4bf94750","line":24,"updated":"2023-04-21 23:04:35.000000000","message":"I am wondering if we shouldn\u0027t abstract this a bit more and not make it specific to acmev2. Methods come and go (ARI might already be change here), I am wondering if we can\u0027t create an API that isn\u0027t tied to one renewal technology. For example, maybe someone will want to implement SCEP[1].\n\n[1] https://datatracker.ietf.org/doc/html/rfc8894","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Proposed change"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"| Octavia users will be able to manage ACMEv2 HTTPS certificates."},{"line_number":24,"context_line":"| The implemented ACMEv2 provider will be Let\u0027s Encrypt and the"},{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"dbae6866_c082fa24","line":24,"in_reply_to":"5d91d282_17312433","updated":"2023-06-07 16:00:50.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"0f35ce4cb5f24f12fc7add61ec35c3efff3fc815","unresolved":true,"context_lines":[{"line_number":21,"context_line":"Proposed change"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"| Octavia users will be able to manage ACMEv2 HTTPS certificates."},{"line_number":24,"context_line":"| The implemented ACMEv2 provider will be Let\u0027s Encrypt and the"},{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"5d91d282_17312433","line":24,"in_reply_to":"cbb6681c_87b0d1ac","updated":"2023-06-07 15:43:20.000000000","message":"It would be a great idea, we\u0027ll add it.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":true,"context_lines":[{"line_number":21,"context_line":"Proposed change"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":23,"context_line":"| Octavia users will be able to manage ACMEv2 HTTPS certificates."},{"line_number":24,"context_line":"| The implemented ACMEv2 provider will be Let\u0027s Encrypt and the"},{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"cbb6681c_87b0d1ac","line":24,"in_reply_to":"f3019911_4bf94750","updated":"2023-04-25 11:41:23.000000000","message":"As the mechanism are a bit different, should we merge them ?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"},{"line_number":28,"context_line":"    - ``/acmev2/certs``: Manage ACMEv2 certificates (issue/renew/revoke)"},{"line_number":29,"context_line":"- Add new Octavia Worker type for ACMEv2 tasks"},{"line_number":30,"context_line":"- Changes in existing apis to use/serve issued certificates"},{"line_number":31,"context_line":"- Changes in Octavia Policies (new roles/permissions/rules..)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"06ea4a75_54d4d69b","line":28,"updated":"2023-04-21 23:04:35.000000000","message":"Should this maybe be under the listener level? This is the level we current manage TLS certificates.\ni.e. /v2/lbaas/listeners/acme2/certs","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":false,"context_lines":[{"line_number":25,"context_line":"| challenge will be \u0027HTTP-01\u0027."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- 1 new API endpoint (/v2.0/lbaas)"},{"line_number":28,"context_line":"    - ``/acmev2/certs``: Manage ACMEv2 certificates (issue/renew/revoke)"},{"line_number":29,"context_line":"- Add new Octavia Worker type for ACMEv2 tasks"},{"line_number":30,"context_line":"- Changes in existing apis to use/serve issued certificates"},{"line_number":31,"context_line":"- Changes in Octavia Policies (new roles/permissions/rules..)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"8f98db47_6d70b29d","line":28,"in_reply_to":"06ea4a75_54d4d69b","updated":"2023-06-07 16:00:50.000000000","message":"This can also be used for the pool no ?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":47,"context_line":"- 20 reqs per sec for"},{"line_number":48,"context_line":"  \"new-nonce\", \"new-account\", \"new-order\", and \"revoke-cert\" endpoints"},{"line_number":49,"context_line":"- 40 reqs per sec for \"/directory/\" and \"/acme\" directory and subdirs"},{"line_number":50,"context_line":"- 10 accounts creation per 3 hours"},{"line_number":51,"context_line":"- 500 accounts per ip within IPv6 /48 per 3 hours:"},{"line_number":52,"context_line":"  `too many registrations for this IP` [OR]"},{"line_number":53,"context_line":"  `too many registrations for this IP range`"}],"source_content_type":"text/x-rst","patch_set":8,"id":"571616b3_f0a22daa","line":50,"updated":"2023-04-21 23:04:35.000000000","message":"This is per IP address","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":47,"context_line":"- 20 reqs per sec for"},{"line_number":48,"context_line":"  \"new-nonce\", \"new-account\", \"new-order\", and \"revoke-cert\" endpoints"},{"line_number":49,"context_line":"- 40 reqs per sec for \"/directory/\" and \"/acme\" directory and subdirs"},{"line_number":50,"context_line":"- 10 accounts creation per 3 hours"},{"line_number":51,"context_line":"- 500 accounts per ip within IPv6 /48 per 3 hours:"},{"line_number":52,"context_line":"  `too many registrations for this IP` [OR]"},{"line_number":53,"context_line":"  `too many registrations for this IP range`"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3e156278_e1e59bab","line":50,"in_reply_to":"571616b3_f0a22daa","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":48,"context_line":"  \"new-nonce\", \"new-account\", \"new-order\", and \"revoke-cert\" endpoints"},{"line_number":49,"context_line":"- 40 reqs per sec for \"/directory/\" and \"/acme\" directory and subdirs"},{"line_number":50,"context_line":"- 10 accounts creation per 3 hours"},{"line_number":51,"context_line":"- 500 accounts per ip within IPv6 /48 per 3 hours:"},{"line_number":52,"context_line":"  `too many registrations for this IP` [OR]"},{"line_number":53,"context_line":"  `too many registrations for this IP range`"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"ed9629a7_7b50c6d4","line":51,"updated":"2023-04-21 23:04:35.000000000","message":"This is also per IP address","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":48,"context_line":"  \"new-nonce\", \"new-account\", \"new-order\", and \"revoke-cert\" endpoints"},{"line_number":49,"context_line":"- 40 reqs per sec for \"/directory/\" and \"/acme\" directory and subdirs"},{"line_number":50,"context_line":"- 10 accounts creation per 3 hours"},{"line_number":51,"context_line":"- 500 accounts per ip within IPv6 /48 per 3 hours:"},{"line_number":52,"context_line":"  `too many registrations for this IP` [OR]"},{"line_number":53,"context_line":"  `too many registrations for this IP range`"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"0a82d0d7_4b2dff8b","line":51,"in_reply_to":"ed9629a7_7b50c6d4","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"ACMEv2 Account"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"1. Create [OR] Import ACMEv2 account private key (RSA JWK)"},{"line_number":66,"context_line":"2. Register account and accept TOS [OR] use existing registration"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":8,"id":"db812229_fa83c3e0","line":65,"updated":"2023-04-21 23:04:35.000000000","message":"I think we should explain this more. I am assuming this spec will use the \"one account\" model recommended[1] for cloud services?\n\n[1] https://letsencrypt.org/docs/integration-guide/#one-account-or-many","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"ACMEv2 Account"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"1. Create [OR] Import ACMEv2 account private key (RSA JWK)"},{"line_number":66,"context_line":"2. Register account and accept TOS [OR] use existing registration"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":8,"id":"edc2a952_ecf85a9a","line":65,"in_reply_to":"23ffaf0c_403b9e06","updated":"2023-06-07 16:00:50.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"9a0e9b5df3a4f9330d1ff6f4dcb587ed9f7ce5b7","unresolved":true,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"ACMEv2 Account"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"1. Create [OR] Import ACMEv2 account private key (RSA JWK)"},{"line_number":66,"context_line":"2. Register account and accept TOS [OR] use existing registration"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"ACMEv2 Certificate"}],"source_content_type":"text/x-rst","patch_set":8,"id":"23ffaf0c_403b9e06","line":65,"in_reply_to":"db812229_fa83c3e0","updated":"2023-04-26 11:03:58.000000000","message":"Sure, we will use the one account model.\nI added your remark below:\n\n\"So we will use \"one_account\" model recommended for Cloud Services\n(see: https://letsencrypt.org/docs/integration-guide/#one-account-or-many)\"\n\nDo i need to add more info ?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":".. warning::"},{"line_number":83,"context_line":"    User must have a valid load balancer with a working VIP in a public subnet."},{"line_number":84,"context_line":"    ACMEv2 cert is linked to the load balancer\u0027s VIP/FIP."},{"line_number":85,"context_line":"    Amphorae MUST have an open 80 TCP port / OR will create it.."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Issue"}],"source_content_type":"text/x-rst","patch_set":8,"id":"71155be5_0abe1a84","line":84,"updated":"2023-04-21 23:04:35.000000000","message":"Actually, no, it\u0027s linked to the DNS name used in the cert. So, the VIP/FIP will also need to have a DNS A/AAAA record provisioned for this to complete.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":".. warning::"},{"line_number":83,"context_line":"    User must have a valid load balancer with a working VIP in a public subnet."},{"line_number":84,"context_line":"    ACMEv2 cert is linked to the load balancer\u0027s VIP/FIP."},{"line_number":85,"context_line":"    Amphorae MUST have an open 80 TCP port / OR will create it.."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Issue"}],"source_content_type":"text/x-rst","patch_set":8,"id":"69ae0fa6_1a6469f5","line":84,"in_reply_to":"71155be5_0abe1a84","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":87,"context_line":"Issue"},{"line_number":88,"context_line":"^^^^^"},{"line_number":89,"context_line":"1. User make HTTP [Post] request to /v2.0/lbaas/acmev2/certs"},{"line_number":90,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":91,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."}],"source_content_type":"text/x-rst","patch_set":8,"id":"fa8cce57_a250b020","line":90,"updated":"2023-04-21 23:04:35.000000000","message":"It would be easier to read if we break these up into individual validation steps. I would also note/assume these validation steps would occur prior to the endpoint returning a 200/202 response to the user, correct?\nI would assume that since the account is configured in the octavia.conf, the provider endpoints would also be provisioned there. Maybe we don\u0027t need to DNS lookup the provider endpoints on every request? Maybe just on startup?\nI do agree that the cert domains should be validated to the VIP/FIP on each request.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":91,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9262923e_cfaca5b6","line":94,"updated":"2023-04-21 23:04:35.000000000","message":"This requirement may push us towards a new control plane process that manages this part. Currently none of the Octavia control plane processes need \"internet\"/\"external\" access.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"0f35ce4cb5f24f12fc7add61ec35c3efff3fc815","unresolved":true,"context_lines":[{"line_number":91,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f36784d5_da6e4506","line":94,"in_reply_to":"3417319a_5bfac02c","updated":"2023-06-07 15:43:20.000000000","message":"Octavia-worker already needs \"internet or internal\" access as they need Nova,Neutron,Keystone,Barbican access ?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"9a0e9b5df3a4f9330d1ff6f4dcb587ed9f7ce5b7","unresolved":true,"context_lines":[{"line_number":91,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3417319a_5bfac02c","line":94,"in_reply_to":"9262923e_cfaca5b6","updated":"2023-04-26 11:03:58.000000000","message":"I would like to create a new kind of Octavia worker dedicated to the ACMEv2 management.\n\nThe worker must have access to the CA through https (TCP 443), be able to query external DNS servers (UDP 53), and check if User\u0027s Amphorae `/.well-known/acme-challenge/` route is accessible (TCP 80).\n\nThis are new worker behaviors/needs indeed, but as we discussed before, we don\u0027t have other choices.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":false,"context_lines":[{"line_number":91,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1b989cf9_431222e6","line":94,"in_reply_to":"f36784d5_da6e4506","updated":"2023-06-07 16:00:50.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":98,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"55116669_ba644c72","line":95,"updated":"2023-04-21 23:04:35.000000000","message":"We need to talk about where these are stored. Below it talks about storing the certificate pem in barbican, but you will probably also need to store these as well.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"ae3d18657590569c8be1b8a9e9b5b151fc0bc8de","unresolved":false,"context_lines":[{"line_number":92,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":93,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":94,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":95,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR [ONESHOT]"},{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":98,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"4f675dfa_3cf42789","line":95,"in_reply_to":"55116669_ba644c72","updated":"2023-04-26 09:34:23.000000000","message":"Good catch, i forget to store `private_key`.\nFor the CSR, i don\u0027t really need it, i only need it to issue a cert.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":98,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":99,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":100,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":101,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":102,"context_line":"   /.well-known/acme-challenge/` route."}],"source_content_type":"text/x-rst","patch_set":8,"id":"6dea1016_1b29dafe","line":99,"updated":"2023-04-21 23:04:35.000000000","message":"This also implies that the process interacting with letsencrypt/acmev2 has access to a valid CA certificate file and OCSP/CRL access such that it can validate the certificate on the letsencrypt/acmev2 endpoint.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"ae3d18657590569c8be1b8a9e9b5b151fc0bc8de","unresolved":true,"context_lines":[{"line_number":96,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":97,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":98,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"},{"line_number":99,"context_line":"6. Octavia Worker generate response and validation"},{"line_number":100,"context_line":"7. Octavia Worker push validation token to User\u0027s Amphorae"},{"line_number":101,"context_line":"8. Octavia Worker make HTTP Get request to Amphorae"},{"line_number":102,"context_line":"   /.well-known/acme-challenge/` route."}],"source_content_type":"text/x-rst","patch_set":8,"id":"266b19ec_63e59b81","line":99,"in_reply_to":"6dea1016_1b29dafe","updated":"2023-04-26 09:34:23.000000000","message":"I don\u0027t really understand what you mean.\nThis step will generate the acme token which will be use to validate the challenge.\n\nhttps://github.com/certbot/certbot/blob/057524aa52fce8a300e48fcdaa04ea41acac9e09/acme/acme/challenges.py#L216\n\nThis file will be pushed to the amphorae, so when the CA will make the challenge validation, it will make an HTTP get to the domain, which will redirect to /.well-known/acme-challenge/XXX.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":102,"context_line":"   /.well-known/acme-challenge/` route."},{"line_number":103,"context_line":"   Ensure the amphora will be able to serve the token to the ACMEv2 CA,"},{"line_number":104,"context_line":"   before trying to issue cert and hit rate limits unnecessarily."},{"line_number":105,"context_line":"   NEED Octavia Worker connectivity to Amphora VIP on port 80."},{"line_number":106,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":107,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":108,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":8,"id":"dd22416a_ebff43e2","line":105,"updated":"2023-04-21 23:04:35.000000000","message":"This requirement may push us towards a new control plane process that manages this part. Currently none of the Octavia control plane processes need \"internet\"/\"external\" access.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"9a0e9b5df3a4f9330d1ff6f4dcb587ed9f7ce5b7","unresolved":false,"context_lines":[{"line_number":102,"context_line":"   /.well-known/acme-challenge/` route."},{"line_number":103,"context_line":"   Ensure the amphora will be able to serve the token to the ACMEv2 CA,"},{"line_number":104,"context_line":"   before trying to issue cert and hit rate limits unnecessarily."},{"line_number":105,"context_line":"   NEED Octavia Worker connectivity to Amphora VIP on port 80."},{"line_number":106,"context_line":"9. Octavia Worker tell ACMEv2 CA: \"we are ready to make challenge\""},{"line_number":107,"context_line":"10. ACMEv2 CA check http://IPv4_VIP/.well-known/acme-challenge/\u003cTOKEN\u003e"},{"line_number":108,"context_line":"11. Meanwhile Octavia Worker wait/poll for challenge status and get issued cert"}],"source_content_type":"text/x-rst","patch_set":8,"id":"64d0662d_d9286a0f","line":105,"in_reply_to":"dd22416a_ebff43e2","updated":"2023-04-26 11:03:58.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":117,"context_line":"    load_balancer_id."},{"line_number":118,"context_line":"    And also the listener objects to serve the new fullchain."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"Renew"},{"line_number":121,"context_line":"^^^^^"},{"line_number":122,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":123,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"6e3bcf91_f7f9c2f5","line":120,"updated":"2023-04-21 23:04:35.000000000","message":"How does the new ARI[1] extension impact this?\n\n[1] https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari.html","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":117,"context_line":"    load_balancer_id."},{"line_number":118,"context_line":"    And also the listener objects to serve the new fullchain."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"Renew"},{"line_number":121,"context_line":"^^^^^"},{"line_number":122,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":123,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"8350e232_ec6f21db","line":120,"in_reply_to":"6e3bcf91_f7f9c2f5","updated":"2023-04-25 11:41:23.000000000","message":"I was not aware of this new feature.\nBut the task_flow to renew the cert will more or less do the same job as the ARI does.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"f7b1c2a7c164bf0fb1cea62aea83c37fbbf69ca2","unresolved":true,"context_lines":[{"line_number":119,"context_line":""},{"line_number":120,"context_line":"Renew"},{"line_number":121,"context_line":"^^^^^"},{"line_number":122,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":123,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":124,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"}],"source_content_type":"text/x-rst","patch_set":8,"id":"245e4893_a9f33c8e","line":122,"range":{"start_line":122,"start_character":11,"end_line":122,"end_character":57},"updated":"2023-04-17 10:51:45.000000000","message":"I\u0027m not sure, but does it make sense to use the house keeping process for this instead? It seems it is responsible for certificate rotation already.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"f5b241616b73ccf11039c8e78f1876afe4b6a485","unresolved":false,"context_lines":[{"line_number":119,"context_line":""},{"line_number":120,"context_line":"Renew"},{"line_number":121,"context_line":"^^^^^"},{"line_number":122,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":123,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":124,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"}],"source_content_type":"text/x-rst","patch_set":8,"id":"81b2ff13_2d6ba7f4","line":122,"range":{"start_line":122,"start_character":11,"end_line":122,"end_character":57},"in_reply_to":"188415dd_4e73dd8f","updated":"2023-04-18 08:38:57.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"79d074c92c85d210468344021184f6c9314c242d","unresolved":true,"context_lines":[{"line_number":119,"context_line":""},{"line_number":120,"context_line":"Renew"},{"line_number":121,"context_line":"^^^^^"},{"line_number":122,"context_line":"1. Octavia Worker periodic task checks for certs to renew"},{"line_number":123,"context_line":"2. Octavia Worker check if asked cert domain name resolve to the LB VIP,"},{"line_number":124,"context_line":"   query ACMEv2 provider\u0027s DNS (for let\u0027s encrypt, it\u0027s google\u0027s dns servers)."},{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"}],"source_content_type":"text/x-rst","patch_set":8,"id":"188415dd_4e73dd8f","line":122,"range":{"start_line":122,"start_character":11,"end_line":122,"end_character":57},"in_reply_to":"245e4893_a9f33c8e","updated":"2023-04-18 07:50:52.000000000","message":"I don\u0027t have opinion on it, i just need to have something running in the background.\nHousekeeping seems to be what i need, but i don\u0027t know where this daemon is running..\n\n```\u001f\nThe housekeeping manager will run as a daemon process which will perform the following actions\n```\n\ncf: https://docs.openstack.org/octavia/latest/contributor/specs/version0.5/housekeeping-manager-interface.html","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":126,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":127,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":128,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"},{"line_number":129,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":130,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":131,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"d23905dc_4fd8551e","line":128,"updated":"2023-04-21 23:04:35.000000000","message":"Are you sure you need a new key and CSR? Typically these are reused. Changing the key may break some advanced validations of the endpoint.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"abd15d1bb7f2e4c4e3e27672ae92d1977f7cf5ac","unresolved":false,"context_lines":[{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":126,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":127,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":128,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"},{"line_number":129,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":130,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":131,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"593cc5c9_95e64e75","line":128,"in_reply_to":"2fa1919b_cd09acc8","updated":"2023-06-07 16:19:47.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":true,"context_lines":[{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":126,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":127,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":128,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"},{"line_number":129,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":130,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":131,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2fa1919b_cd09acc8","line":128,"in_reply_to":"9f6498e0_6c7416cf","updated":"2023-06-07 16:00:50.000000000","message":"Indeed we don\u0027t want to renew the Private Key","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":true,"context_lines":[{"line_number":125,"context_line":"   This step will ensure everything is correctly setup (from user side) before"},{"line_number":126,"context_line":"   trying to make CA requests and hit rate limits unnecessarily."},{"line_number":127,"context_line":"   NEED Octavia Worker connectivity to external DNS."},{"line_number":128,"context_line":"3. Octavia Worker creates Certificate\u0027s Private Key and CSR"},{"line_number":129,"context_line":"4. Octavia Worker configures User\u0027s Amphorae"},{"line_number":130,"context_line":"   (haproxy config for `/.well-known/acme-challenge/` route)"},{"line_number":131,"context_line":"5. Octavia Worker select the challenge from ACMEv2 CA"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9f6498e0_6c7416cf","line":128,"in_reply_to":"d23905dc_4fd8551e","updated":"2023-04-25 11:41:23.000000000","message":"As i understand, in my tests for \"HTTP-01\" challenge with Let\u0027s Encrypt provider, the renewing process is like the issuing one.\n\nI added extra steps to revoke previous issued cert.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":155,"context_line":"1. User make HTTP [Delete] request to /v2.0/lbaas/acmev2/certs/{cert_id}"},{"line_number":156,"context_line":"2. Octavia Worker retrieve fullchain.pem from Barbican"},{"line_number":157,"context_line":"3. Octavia Worker revoke cert in ACMEv2 CA"},{"line_number":158,"context_line":"4. Octavia Worker remove cert from Barbican"},{"line_number":159,"context_line":"5. Octavia Worker update Octavia Database,"},{"line_number":160,"context_line":"   to fill Cert info (in acmev2_certs table) like:"},{"line_number":161,"context_line":"   status,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"ec1ad46c_8224f85d","line":158,"updated":"2023-04-21 23:04:35.000000000","message":"What happens to the cert on the amphora? You can\u0027t remove it from barbican until the listeners no longer reference it (barbican secrets consumers).","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":155,"context_line":"1. User make HTTP [Delete] request to /v2.0/lbaas/acmev2/certs/{cert_id}"},{"line_number":156,"context_line":"2. Octavia Worker retrieve fullchain.pem from Barbican"},{"line_number":157,"context_line":"3. Octavia Worker revoke cert in ACMEv2 CA"},{"line_number":158,"context_line":"4. Octavia Worker remove cert from Barbican"},{"line_number":159,"context_line":"5. Octavia Worker update Octavia Database,"},{"line_number":160,"context_line":"   to fill Cert info (in acmev2_certs table) like:"},{"line_number":161,"context_line":"   status,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"92310ac3_7c4baafc","line":158,"in_reply_to":"ec1ad46c_8224f85d","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":208,"context_line":"      - /"},{"line_number":209,"context_line":"      - False"},{"line_number":210,"context_line":"      - False"},{"line_number":211,"context_line":"      - DNS used by the ACMEv2 CA to resolve user\u0027s domain (eg: 8.8.8.8,8.8.4.4)"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"acmev2_certs"},{"line_number":214,"context_line":"^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":8,"id":"a613deb7_2e60cfc9","line":211,"updated":"2023-04-21 23:04:35.000000000","message":"Why do we need this? The Acmev2 endponts should be resolvable via the process host resolver.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":208,"context_line":"      - /"},{"line_number":209,"context_line":"      - False"},{"line_number":210,"context_line":"      - False"},{"line_number":211,"context_line":"      - DNS used by the ACMEv2 CA to resolve user\u0027s domain (eg: 8.8.8.8,8.8.4.4)"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"acmev2_certs"},{"line_number":214,"context_line":"^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":8,"id":"76c93844_41744e75","line":211,"in_reply_to":"a613deb7_2e60cfc9","updated":"2023-04-25 11:41:23.000000000","message":"Theses DNS servers are the ones used by the ACMEv2 provider to resolve a domain name.\n\nIn order to avoid making challenges for domains where the record are not pointing to the right IP, i would like to ensure they are correctly configured by the user.\n\nThis will ensure everything is correctly setup and not hit rate limits for theses badly configured domains.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":234,"context_line":"      - False"},{"line_number":235,"context_line":"      - False"},{"line_number":236,"context_line":"      - Domain name used for the cert"},{"line_number":237,"context_line":"    * - domain_aliases"},{"line_number":238,"context_line":"      - String(256)"},{"line_number":239,"context_line":"      - /"},{"line_number":240,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"0240b288_63842808","line":237,"updated":"2023-04-21 23:04:35.000000000","message":"I am assuming you mean the subject alternate names (SAN). This is actually a list of alternate domains, not just one alias.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":234,"context_line":"      - False"},{"line_number":235,"context_line":"      - False"},{"line_number":236,"context_line":"      - Domain name used for the cert"},{"line_number":237,"context_line":"    * - domain_aliases"},{"line_number":238,"context_line":"      - String(256)"},{"line_number":239,"context_line":"      - /"},{"line_number":240,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"cb225b7a_62fddcd6","line":237,"in_reply_to":"0240b288_63842808","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":259,"context_line":"      - False"},{"line_number":260,"context_line":"      - False"},{"line_number":261,"context_line":"      - Enable automatic cert renewal"},{"line_number":262,"context_line":"    * - status"},{"line_number":263,"context_line":"      - String(20)"},{"line_number":264,"context_line":"      - /"},{"line_number":265,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3f02f8d9_5b46c972","line":262,"updated":"2023-04-21 23:04:35.000000000","message":"To be consistent with our API terminology, this would be a provisioning_status column.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":259,"context_line":"      - False"},{"line_number":260,"context_line":"      - False"},{"line_number":261,"context_line":"      - Enable automatic cert renewal"},{"line_number":262,"context_line":"    * - status"},{"line_number":263,"context_line":"      - String(20)"},{"line_number":264,"context_line":"      - /"},{"line_number":265,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"70805a90_c4569089","line":262,"in_reply_to":"3f02f8d9_5b46c972","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":345,"context_line":"      - /"},{"line_number":346,"context_line":"      - True"},{"line_number":347,"context_line":"      - Aliases of the domain"},{"line_number":348,"context_line":"    * - provider"},{"line_number":349,"context_line":"      - String"},{"line_number":350,"context_line":"      - letsencrypt"},{"line_number":351,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"87215303_a67dce7c","line":348,"updated":"2023-04-21 23:04:35.000000000","message":"How does a user know what providers are available on this cloud?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":345,"context_line":"      - /"},{"line_number":346,"context_line":"      - True"},{"line_number":347,"context_line":"      - Aliases of the domain"},{"line_number":348,"context_line":"    * - provider"},{"line_number":349,"context_line":"      - String"},{"line_number":350,"context_line":"      - letsencrypt"},{"line_number":351,"context_line":"      - False"}],"source_content_type":"text/x-rst","patch_set":8,"id":"22dbf9b8_7b2e93b3","line":348,"in_reply_to":"87215303_a67dce7c","updated":"2023-04-25 11:41:23.000000000","message":"I added an endpoint /providers, which will list providers.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":350,"context_line":"      - letsencrypt"},{"line_number":351,"context_line":"      - False"},{"line_number":352,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":353,"context_line":"    * - challenge_type"},{"line_number":354,"context_line":"      - String"},{"line_number":355,"context_line":"      - http-01"},{"line_number":356,"context_line":"      - True"}],"source_content_type":"text/x-rst","patch_set":8,"id":"671ce36f_292856c0","line":353,"updated":"2023-04-21 23:04:35.000000000","message":"I think this will be forced by the driver implementation right? I\u0027m not sure we need to ask the user for this. At least not now.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":350,"context_line":"      - letsencrypt"},{"line_number":351,"context_line":"      - False"},{"line_number":352,"context_line":"      - ACMEv2 provider to use (eg: letsencrypt, zerossl, buypass..)"},{"line_number":353,"context_line":"    * - challenge_type"},{"line_number":354,"context_line":"      - String"},{"line_number":355,"context_line":"      - http-01"},{"line_number":356,"context_line":"      - True"}],"source_content_type":"text/x-rst","patch_set":8,"id":"ffd58c12_d4cca5a4","line":353,"in_reply_to":"671ce36f_292856c0","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":378,"context_line":"      - Unauthorized - X-Auth-Token is invalid"},{"line_number":379,"context_line":"    * - 403"},{"line_number":380,"context_line":"      - Forbidden - X-Auth-Token is valid, but the associated project does not have the appropriate role/scope"},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"Show"},{"line_number":383,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":384,"context_line":"Print information about ACMEv2 cert."}],"source_content_type":"text/x-rst","patch_set":8,"id":"7dfc5a14_b54251bc","line":381,"updated":"2023-04-21 23:04:35.000000000","message":"There should be many more here in case of validation failures, etc.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":true,"context_lines":[{"line_number":378,"context_line":"      - Unauthorized - X-Auth-Token is invalid"},{"line_number":379,"context_line":"    * - 403"},{"line_number":380,"context_line":"      - Forbidden - X-Auth-Token is valid, but the associated project does not have the appropriate role/scope"},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"Show"},{"line_number":383,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":384,"context_line":"Print information about ACMEv2 cert."}],"source_content_type":"text/x-rst","patch_set":8,"id":"a3283dd2_66d57233","line":381,"in_reply_to":"7dfc5a14_b54251bc","updated":"2023-04-25 11:41:23.000000000","message":"Could we take a moment to discuss about it ?\n\nAs requested, i added some HTTP codes, but maybe not enough or not appropriate ones.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":true,"context_lines":[{"line_number":378,"context_line":"      - Unauthorized - X-Auth-Token is invalid"},{"line_number":379,"context_line":"    * - 403"},{"line_number":380,"context_line":"      - Forbidden - X-Auth-Token is valid, but the associated project does not have the appropriate role/scope"},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"Show"},{"line_number":383,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":384,"context_line":"Print information about ACMEv2 cert."}],"source_content_type":"text/x-rst","patch_set":8,"id":"9b230113_4f2f8658","line":381,"in_reply_to":"a3283dd2_66d57233","updated":"2023-06-07 16:00:50.000000000","message":"We can base this on the errors reported by the acme lib : https://github.com/certbot/certbot/blob/master/acme/acme/errors.py","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":381,"context_line":""},{"line_number":382,"context_line":"Show"},{"line_number":383,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":384,"context_line":"Print information about ACMEv2 cert."},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"HTTP [**GET**]: /certs/`{cert_id}`"},{"line_number":387,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"83a5c60a_5c75b4af","line":384,"updated":"2023-04-21 23:04:35.000000000","message":"What fields would be returned?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":381,"context_line":""},{"line_number":382,"context_line":"Show"},{"line_number":383,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":384,"context_line":"Print information about ACMEv2 cert."},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"HTTP [**GET**]: /certs/`{cert_id}`"},{"line_number":387,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"df073851_f8f3fbdc","line":384,"in_reply_to":"83a5c60a_5c75b4af","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":389,"context_line":"    :widths: 25 15 15 15 50"},{"line_number":390,"context_line":"    :header-rows: 1"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"    * - Name"},{"line_number":393,"context_line":"      - Type"},{"line_number":394,"context_line":"      - Default"},{"line_number":395,"context_line":"      - Optional"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b9a6a20a_e02d0c4e","line":392,"updated":"2023-04-21 23:04:35.000000000","message":"I don\u0027t think we need a name field here.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":389,"context_line":"    :widths: 25 15 15 15 50"},{"line_number":390,"context_line":"    :header-rows: 1"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"    * - Name"},{"line_number":393,"context_line":"      - Type"},{"line_number":394,"context_line":"      - Default"},{"line_number":395,"context_line":"      - Optional"}],"source_content_type":"text/x-rst","patch_set":8,"id":"67752776_e49f278e","line":392,"in_reply_to":"b9a6a20a_e02d0c4e","updated":"2023-04-25 11:41:23.000000000","message":"This is just the name of the table column, only for RST render.\n\n(see: https://b649c19a68edc56feea8-49130948639ed40b079dd8450de896f5.ssl.cf2.rackcdn.com/877281/5/check/openstack-tox-docs/c4d4a52/docs/contributor/specs/version1.1/letsencrypt.html)","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":417,"context_line":""},{"line_number":418,"context_line":"List"},{"line_number":419,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":420,"context_line":"Print information about Let\u0027s Encrypt certs."},{"line_number":421,"context_line":""},{"line_number":422,"context_line":"HTTP [**GET**]: /certs"},{"line_number":423,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"dc86bf56_d46ff3ab","line":420,"updated":"2023-04-21 23:04:35.000000000","message":"What fields would be returned?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":417,"context_line":""},{"line_number":418,"context_line":"List"},{"line_number":419,"context_line":"\u0027\u0027\u0027\u0027"},{"line_number":420,"context_line":"Print information about Let\u0027s Encrypt certs."},{"line_number":421,"context_line":""},{"line_number":422,"context_line":"HTTP [**GET**]: /certs"},{"line_number":423,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"5e93180c_fbd1eec9","line":420,"in_reply_to":"dc86bf56_d46ff3ab","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":474,"context_line":"    :widths: 25 15 15 15 50"},{"line_number":475,"context_line":"    :header-rows: 1"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"    * - Name"},{"line_number":478,"context_line":"      - Type"},{"line_number":479,"context_line":"      - Default"},{"line_number":480,"context_line":"      - Optional"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7fa50215_c0ed0d79","line":477,"updated":"2023-04-21 23:04:35.000000000","message":"I don\u0027t think name is needed here.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":474,"context_line":"    :widths: 25 15 15 15 50"},{"line_number":475,"context_line":"    :header-rows: 1"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"    * - Name"},{"line_number":478,"context_line":"      - Type"},{"line_number":479,"context_line":"      - Default"},{"line_number":480,"context_line":"      - Optional"}],"source_content_type":"text/x-rst","patch_set":8,"id":"6c761250_a87ac048","line":477,"in_reply_to":"7fa50215_c0ed0d79","updated":"2023-04-25 11:41:23.000000000","message":"This is just the name of the table column, only for RST render.\n\n(see: https://b649c19a68edc56feea8-49130948639ed40b079dd8450de896f5.ssl.cf2.rackcdn.com/877281/5/check/openstack-tox-docs/c4d4a52/docs/contributor/specs/version1.1/letsencrypt.html)","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"f7b1c2a7c164bf0fb1cea62aea83c37fbbf69ca2","unresolved":true,"context_lines":[{"line_number":504,"context_line":"---------------"},{"line_number":505,"context_line":"- Does this change touch sensitive data such as tokens, keys, or user data?"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"  * Yes, private certificate keys, ACMEv2 account token..."},{"line_number":508,"context_line":""},{"line_number":509,"context_line":"- Does this change alter the API in a way that may impact security,"},{"line_number":510,"context_line":"  such as a new way to access sensitive information or a new way to login?"}],"source_content_type":"text/x-rst","patch_set":8,"id":"81797bef_91e88cb3","line":507,"updated":"2023-04-17 10:51:45.000000000","message":"It seems the proposed data model contains no security sensitive data, but if it does, we need to make sure this data cannot end up in logs.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"79d074c92c85d210468344021184f6c9314c242d","unresolved":true,"context_lines":[{"line_number":504,"context_line":"---------------"},{"line_number":505,"context_line":"- Does this change touch sensitive data such as tokens, keys, or user data?"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"  * Yes, private certificate keys, ACMEv2 account token..."},{"line_number":508,"context_line":""},{"line_number":509,"context_line":"- Does this change alter the API in a way that may impact security,"},{"line_number":510,"context_line":"  such as a new way to access sensitive information or a new way to login?"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f10052fb_a9aa411a","line":507,"in_reply_to":"81797bef_91e88cb3","updated":"2023-04-18 07:50:52.000000000","message":"We are dealing with acmev2 private key, registration json and we are also generating private keys for issued/renewed certificates.\n\nSure the sensitive data won\u0027t be logged.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"f5b241616b73ccf11039c8e78f1876afe4b6a485","unresolved":false,"context_lines":[{"line_number":504,"context_line":"---------------"},{"line_number":505,"context_line":"- Does this change touch sensitive data such as tokens, keys, or user data?"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"  * Yes, private certificate keys, ACMEv2 account token..."},{"line_number":508,"context_line":""},{"line_number":509,"context_line":"- Does this change alter the API in a way that may impact security,"},{"line_number":510,"context_line":"  such as a new way to access sensitive information or a new way to login?"}],"source_content_type":"text/x-rst","patch_set":8,"id":"cd521eb2_2799170f","line":507,"in_reply_to":"f10052fb_a9aa411a","updated":"2023-04-18 08:38:57.000000000","message":"Done","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":551,"context_line":""},{"line_number":552,"context_line":"Other deployer impact"},{"line_number":553,"context_line":"---------------------"},{"line_number":554,"context_line":"Need a secret service configured (Barbican)."},{"line_number":555,"context_line":""},{"line_number":556,"context_line":"Developer impact"},{"line_number":557,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"54805f69_9c14ba3d","line":554,"updated":"2023-04-21 23:04:35.000000000","message":"Can we describe the required/expected octavia.conf settings that will be added?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":551,"context_line":""},{"line_number":552,"context_line":"Other deployer impact"},{"line_number":553,"context_line":"---------------------"},{"line_number":554,"context_line":"Need a secret service configured (Barbican)."},{"line_number":555,"context_line":""},{"line_number":556,"context_line":"Developer impact"},{"line_number":557,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"162eae46_9db829ca","line":554,"in_reply_to":"54805f69_9c14ba3d","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":573,"context_line":"* Add new octavia worker type to make ACMEv2 challenges"},{"line_number":574,"context_line":"* Modify listener api to use created ACMEv2 certs"},{"line_number":575,"context_line":"* Add Unit tests"},{"line_number":576,"context_line":"* Add API functional tests"},{"line_number":577,"context_line":"* Update Octavia cli and Openstacksdk"},{"line_number":578,"context_line":"* Write Documentation"},{"line_number":579,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"b1a559ea_8523e521","line":576,"updated":"2023-04-21 23:04:35.000000000","message":"tempest tests as well","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":573,"context_line":"* Add new octavia worker type to make ACMEv2 challenges"},{"line_number":574,"context_line":"* Modify listener api to use created ACMEv2 certs"},{"line_number":575,"context_line":"* Add Unit tests"},{"line_number":576,"context_line":"* Add API functional tests"},{"line_number":577,"context_line":"* Update Octavia cli and Openstacksdk"},{"line_number":578,"context_line":"* Write Documentation"},{"line_number":579,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"b4bc5283_a3dc0e93","line":576,"in_reply_to":"b1a559ea_8523e521","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":581,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":582,"context_line":"System"},{"line_number":583,"context_line":""},{"line_number":584,"context_line":"- OpenSSL"},{"line_number":585,"context_line":"    https://www.pyopenssl.org/en/latest/install.html#supported-openssl-versions"},{"line_number":586,"context_line":"- Open TCP Port 80 on Amphorae to handle /.well-known/acme-challenge/ route"},{"line_number":587,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"d01c5d10_8c59f11d","line":584,"updated":"2023-04-21 23:04:35.000000000","message":"We should use the python cryptography module only. The system will obviously have to meet it\u0027s requirements, but we should not call out pyopenssl here, we should not use it.","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":581,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":582,"context_line":"System"},{"line_number":583,"context_line":""},{"line_number":584,"context_line":"- OpenSSL"},{"line_number":585,"context_line":"    https://www.pyopenssl.org/en/latest/install.html#supported-openssl-versions"},{"line_number":586,"context_line":"- Open TCP Port 80 on Amphorae to handle /.well-known/acme-challenge/ route"},{"line_number":587,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"ab2897d2_c8bb60d2","line":584,"in_reply_to":"d01c5d10_8c59f11d","updated":"2023-04-25 11:41:23.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":589,"context_line":""},{"line_number":590,"context_line":"- acme\u003d\u003d2.2.0"},{"line_number":591,"context_line":"- cryptography\u003d\u003d39.0.1"},{"line_number":592,"context_line":"- dnspython\u003d\u003d2.3.0"},{"line_number":593,"context_line":"- pyOpenSSL\u003d\u003d23.0.0"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"Testing"}],"source_content_type":"text/x-rst","patch_set":8,"id":"185d92bd_b7abe891","line":592,"updated":"2023-04-21 23:04:35.000000000","message":"Ugh. This is such a problematic package. Do we need it?\nWould socket.getaddrinfo meet the need here?","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":true,"context_lines":[{"line_number":589,"context_line":""},{"line_number":590,"context_line":"- acme\u003d\u003d2.2.0"},{"line_number":591,"context_line":"- cryptography\u003d\u003d39.0.1"},{"line_number":592,"context_line":"- dnspython\u003d\u003d2.3.0"},{"line_number":593,"context_line":"- pyOpenSSL\u003d\u003d23.0.0"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"Testing"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3968cc1a_aa8f44a7","line":592,"in_reply_to":"185d92bd_b7abe891","updated":"2023-04-25 11:41:23.000000000","message":"I would like to make DNS queries for specific DNS servers.\nThis is related to the DNS checks before issuing new certs.\n\nI found this piece of code, which seems to do the job, need to test it.\n\nhttps://github.com/1ocalhost/py_cheat/blob/master/dns_lookup.py","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":27442,"name":"Quentin GROLLEAU","email":"quentin.grolleau@corp.ovh.com","username":"QG"},"change_message_id":"6a8bb39ab37ecf2acbde76b5a40d8bc0055388d6","unresolved":false,"context_lines":[{"line_number":589,"context_line":""},{"line_number":590,"context_line":"- acme\u003d\u003d2.2.0"},{"line_number":591,"context_line":"- cryptography\u003d\u003d39.0.1"},{"line_number":592,"context_line":"- dnspython\u003d\u003d2.3.0"},{"line_number":593,"context_line":"- pyOpenSSL\u003d\u003d23.0.0"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"Testing"}],"source_content_type":"text/x-rst","patch_set":8,"id":"bf0b3679_48dbdc80","line":592,"in_reply_to":"3968cc1a_aa8f44a7","updated":"2023-06-07 16:00:50.000000000","message":"Ack","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"23c91d4ef470a161ade95b8e99086c142c49e964","unresolved":true,"context_lines":[{"line_number":590,"context_line":"- acme\u003d\u003d2.2.0"},{"line_number":591,"context_line":"- cryptography\u003d\u003d39.0.1"},{"line_number":592,"context_line":"- dnspython\u003d\u003d2.3.0"},{"line_number":593,"context_line":"- pyOpenSSL\u003d\u003d23.0.0"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"Testing"},{"line_number":596,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"c5062a79_933e0578","line":593,"updated":"2023-04-21 23:04:35.000000000","message":"Do we really need this or will cryptography meet our needs. We should avoid pyOpenSSL if we can.\n\n\"The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where possible.\"","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"},{"author":{"_account_id":35848,"name":"Julian DA CUNHA","display_name":"Julian","email":"julian.da-cunha@corp.ovh.com","username":"jdacunha"},"change_message_id":"41a498330cb2e972c80db04b23b2792158cd9100","unresolved":false,"context_lines":[{"line_number":590,"context_line":"- acme\u003d\u003d2.2.0"},{"line_number":591,"context_line":"- cryptography\u003d\u003d39.0.1"},{"line_number":592,"context_line":"- dnspython\u003d\u003d2.3.0"},{"line_number":593,"context_line":"- pyOpenSSL\u003d\u003d23.0.0"},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"Testing"},{"line_number":596,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f9f8dda1_67402a58","line":593,"in_reply_to":"c5062a79_933e0578","updated":"2023-04-25 11:41:23.000000000","message":"Yeah i realise, i don\u0027t really need it.\nI was using this lib to generate a RSA private key (for the cert).\n\nI am able to generate one using `cryptography`.\n\nhttps://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation","commit_id":"ff775e331716451cbb7f29c87be647a5e33cddd9"}]}