malai http bridge custom domain support and lets encrypt integration

[amitu]

We can add DNS support in malai http-bridge, so when you run malai http --bridge=<bridge-base> --domain=amitu.com 5000, the malai http will contact malai http-bridge on <bridge-base>, and ask ask it to generate the certificate. If this is the first time, the bridge will respond with DNS instructions that you will have to follow to map the DNS records for your domain to <bridge-base>'s IP address(es), and will wait for DNS to be updated, and once done, will issue the certificate using lets-encrypt, and run your domain.

Security Note

Every time you change the bridge you will have to redo this process, and it is not generally a good idea to trust a random HTTP bridge with your domain, so only do it for bridge run by someone trusted.

Even if you move to another bridge, the old bridge will still have the old and valid SSL certificate for your domain.

Actually now that I said it I feel it could be possible for you to generate the SSL certificate, and share the private key with the private. The advantage of you issuing the private key and sharing with the other side is that you can re-use the private key when moving, or you can unilaterally revoke the certificate if you have the private key. Even if the bridge is generating the private key, maybe we can get bridge to share the certificate, but there is a slight risk that what if the bridge successfully generates the certificate, and refuses to share, and now you have nothing to revoke the certificate.

Letsencrypt has a concept of an account-id, maybe it is best that the account-id is kept locally and never shared with the bridge. The bridge will need the SSL certificate private key, this is unavoidable if we want bridge to handle SSL for you.

Note that revoking a certificate is not always sufficient:

When you revoke a Let’s Encrypt certificate, Let’s Encrypt will publish that revocation information through the Online Certificate Status Protocol (OCSP), and some browsers will check OCSP to see whether they should trust a certificate. Note that OCSP has some fundamental problems, so not all browsers will do this check.