<div dir="ltr"><div><span style="font-size:9.6px">> I'm looking for ideas of good ways to handle TLS certificates and their</span><br style="font-size:9.6px"><span style="font-size:9.6px">> renewal for meek bridges. I want to use Let's Encrypt for this process,</span><br style="font-size:9.6px"><span style="font-size:9.6px">> and I hope that someone who knows Let's Encrypt well can contribute some</span><br style="font-size:9.6px"><span style="font-size:9.6px">> ideas.</span><br></div><div><span style="font-size:9.6px"><br></span></div><div><font size="1">> </font><span style="font-size:9.6px">ideally not requiring new </span><span style="font-size:9.6px">complicated code in meek-server itself</span></div><div><br></div>If you're OK with some amount of new code, there are Go client libraries that might be sufficiently flexible:<div><br><div>- <a href="https://github.com/xenolf/lego" target="_blank">https://github.com/xenolf/lego</a></div><div>- <a href="https://ericchiang.github.io/go/tls/lets/encrypt/letsencrypt/2015/11/13/a-letsencrypt-client-for-go.html" target="_blank">https://ericchiang.github.io/go/tls/lets/encrypt/letsencrypt/2015/11/13/a-letsencrypt-client-for-go.html</a></div><div><br></div></div><div>I'll give this a try soon if you haven't already.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 25, 2016 at 1:54 PM, David Fifield <span dir="ltr"><<a href="mailto:david@bamsoftware.com" target="_blank">david@bamsoftware.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm looking for ideas of good ways to handle TLS certificates and their<br>
renewal for meek bridges. I want to use Let's Encrypt for this process,<br>
and I hope that someone who knows Let's Encrypt well can contribute some<br>
ideas.<br>
<br>
All three of the meek bridges use HTTPS to receive connections from the<br>
CDN, so they need TLS certificates. For example, when you use<br>
meek-azure, your traffic is forwarded to the bridge at<br>
<a href="https://meek.bamsoftware.com/" rel="noreferrer" target="_blank">https://meek.bamsoftware.com/</a>. How it works now is I do the usual domain<br>
validation procedure with a CA, receive an email to show that I control<br>
the domain, install the cert and key, and then run the server like this:<br>
meek-server --cert /etc/meek/cert.pem --key /etc/meek/key.pem<br>
<br>
When I used Let's Encrypt in the past, using the --webroot option, it<br>
wanted to write a file to the URL path "/.well-known/acme-challenge/{token}".<br>
That won't work for meek-server as it exists today, because meek-server<br>
never serves files from the filesystem. But it could. Perhaps we could<br>
add an option like --acme-webroot that would allow serving files from a<br>
single whitelisted directory.<br>
<br>
I notice that there are other ways of proving domain ownership (HTTP,<br>
TLS SNI, DNS). Maybe we could use one of those?<br>
<a href="https://ietf-wg-acme.github.io/acme/#identifier-validation-challenges" rel="noreferrer" target="_blank">https://ietf-wg-acme.github.io/acme/#identifier-validation-challenges</a><br>
<br>
I also note that there are third-party plugins:<br>
<a href="https://github.com/letsencrypt/letsencrypt/wiki/Plugins" rel="noreferrer" target="_blank">https://github.com/letsencrypt/letsencrypt/wiki/Plugins</a><br>
Maybe there could be a plugin for meek-server (ideally not requiring new<br>
complicated code in meek-server itself).<br>
<br>
Currently you have to restart meek-server in order to make it notice a<br>
changed certificate and key file. It would be better if that were not<br>
necessary--maybe we could periodically stat the files, and re-load them<br>
if they have changed?<br>
<br>
This is going to be an issue for Snowflake as well, because we will want<br>
to use WebSocket over TLS for the server component.<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</blockquote></div><br></div></div>