[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18655 [meek]: Make meek-server easy to use with Let's Encrypt
#18655: Make meek-server easy to use with Let's Encrypt
-------------------------+---------------------
Reporter: dcf | Owner: dcf
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+---------------------
Comment (by dcf):
I posted a request for ideas to tor-dev.
https://lists.torproject.org/pipermail/tor-dev/2016-March/010645.html
> I'm looking for ideas of good ways to handle TLS certificates and their
renewal for meek bridges. I want to use Let's Encrypt for this process,
and I hope that someone who knows Let's Encrypt well can contribute some
ideas.
>
> All three of the meek bridges use HTTPS to receive connections from the
CDN, so they need TLS certificates. For example, when you use meek-azure,
your traffic is forwarded to the bridge at https://meek.bamsoftware.com/.
How it works now is I do the usual domain validation procedure with a CA,
receive an email to show that I control the domain, install the cert and
key, and then run the server like this:
> {{{
> meek-server --cert /etc/meek/cert.pem --key /etc/meek/key.pem
> }}}
>
> When I used Let's Encrypt in the past, using the `--webroot` option, it
wanted to write a file to the URL path `/.well-known/acme-
challenge/{token}`. That won't work for meek-server as it exists today,
because meek-server never serves files from the filesystem. But it could.
Perhaps we could add an option like `--acme-webroot` that would allow
serving files from a single whitelisted directory.
>
> I notice that there are other ways of proving domain ownership (HTTP,
TLS SNI, DNS). Maybe we could use one of those?
> https://ietf-wg-acme.github.io/acme/#identifier-validation-challenges
>
> I also note that there are third-party plugins:
> https://github.com/letsencrypt/letsencrypt/wiki/Plugins
> Maybe there could be a plugin for meek-server (ideally not requiring new
complicated code in meek-server itself).
>
> Currently you have to restart meek-server in order to make it notice a
changed certificate and key file. It would be better if that were not
necessary--maybe we could periodically stat the files, and re-load them if
they have changed?
>
> This is going to be an issue for Snowflake as well, because we will want
to use WebSocket over TLS for the server component.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18655#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs