Over the last few weeks, I've been doing some work to plan a new open source project called Starchart. The idea behind it is to solve a problem that a lot of us teaching programming have, namely, to make it easy and cheap (read "free!") for students to create custom domains and TLS certificates. The name "starchart" is a play on our other big open source projects (Telescope and Satellite): Starchart will help us map the work of our student developers across the internet.
This idea is nothing new. Students can already create
.me domains via Namecheap's education program. However, what I don't love about this is that it still requires a credit card and a student's personal information. Also, I'm inspired by my colleague Andrew Smith, built something like this for his own cloud students a few years ago.
However, I want something that will work for all of our (i.e., Seneca) students, and I want it to be a self-serve tool. The goal is that it be trivially easy for any of our students to create a new domain, point it at some server they are building, and get a TLS certificate they can then use to run the project securely.
From a technical perspective, my plan is as follows:
- Run our own Authoritative DNS server with an API that allows for dynamically managing records. I think PowerDNS looks perfect with its database backends and API. In production we'll use MySQL, and sqlite in development. To be honest, I don't think we'll need another database beyond the DNS.
- Build a node.js web service that can manage student SAML authorization (we've been here before!) and provide a REST API to our web front-end for creating/managing domains and certificates.
- Build a web front-end that allows students to authenticate and manage their own domains and certificates. Subdomains would last for a year unless renewed, and certificates would be auto-renewed for them.
- Buy a domain and use it to allow students to create
host.studentname.domain.comsubdomains pointing to either an A (i.e., IP address) or CNAME (i.e., domain name) records.
- Use Let's Encrypt with DNS Challenges to create
*.studentname.domain.comwildcard certificates, which can be installed in various servers/services.
This weekend I decided to try and hack together a proof of concept for this setup. I used Docker to combine PowerDNS, a node service, an nginx web server (representing an external machine that needs a domain), and the Let's Encrypt pebble ACME test server and challenge server (btw, I love clever names like "pebble" for the smaller version of "boulder").
Using these separate containers, I'm able to simulate our network, create DNS records (from node.js to PowerDNS via the API), and order certificates from pebble using a DNS challenge, which are then presented to the user via a web app. It's harder to explain than to show you, so I made a short demo video:
My weekend hack helped me feel confident that this can be done. The gaps I have in my knowledge of DNS and Linux admin (I'm a programmer, don't ask me how to manage your servers...) are something I hope to have filled-in by Chris Tyler, who does know everything about this stuff, and has already been giving me some excellent feedback. I've also been talking with Mehrdad Ziaei about having ITS host this in production, which seems doable.
Now all I need are a bunch of willing students who want to spend a semester turning this blog post into production-quality software that we can ship to every Seneca student. If that sounds like you, please meet me in OSD700/DPS911 this January!