[tor-bugs] #24928 [Obfuscation/meek]: Use `Manager.HTTPHandler` (ACME "HTTP-01" challenge) for automatic certificates

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jan 18 02:58:39 UTC 2018 

#24928: Use `Manager.HTTPHandler` (ACME "HTTP-01" challenge) for automatic
certificates
----------------------------------+-----------------
     Reporter:  dcf               |      Owner:  dcf
         Type:  project           |     Status:  new
     Priority:  Medium            |  Milestone:
    Component:  Obfuscation/meek  |    Version:
     Severity:  Normal            |   Keywords:
Actual Points:                    |  Parent ID:
       Points:                    |   Reviewer:
      Sponsor:                    |
----------------------------------+-----------------
 Let's Encrypt disabled the TLS-SNI challenge, which is the basis of the
 [https://godoc.org/golang.org/x/crypto/acme/autocert autocert] package
 that meek-server uses for automatic TLS certificates:
  *
 [https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241
 tls-sni challenge disabled]
 I've informed the public meek-server operators about this and asked that
 they be ready with manual certificates in the short term.

 The autocert package recently added support for the HTTP-01 challenge. It
 requires the server to listen on port 80.

 Further reading:
  * [https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01
 -and-shared-hosting-infrastructure/49996 2018.01.09 Issue with TLS-SNI-01
 and Shared Hosting Infrastructure]
  * [https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-
 tls-sni-and-shared-hosting-infrastructure/50188 2018.01.11 Update
 Regarding ACME TLS-SNI and Shared Hosting Infrastructure]
  * [https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-
 most-new-issuance/50316 TLS-SNI challenges disabled for most new issuance]
  * https://twitter.com/bradfitz/status/951909513593958400
    > Use the #golang autocert package? You need to update your code due to
 @LetsEncrypt changes.
    > You need to use this now:
 https://godoc.org/golang.org/x/crypto/acme/autocert#Manager.HTTPHandler
    > See the example: https://godoc.org/golang.org/x/crypto/acme/autocert
 #example-Manager
    > Everybody's sorry. Tears all around. 😢
  * [https://github.com/golang/go/issues/21890 x/crypto/acme/autocert:
 Support http-01 challenge (GitHub #21890)]
  *
 [https://github.com/golang/crypto/commit/13931e22f9e72ea58bb73048bc752b48c6d4d4ac
 #diff-5738396ae12462da1c47c2f0f4bb8096 acme/autocert: support http-01
 challenge type]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24928>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list