[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #24928 [Obfuscation/meek]: Use `Manager.HTTPHandler` (ACME "HTTP-01" challenge) for automatic certificates
#24928: Use `Manager.HTTPHandler` (ACME "HTTP-01" challenge) for automatic
certificates
----------------------------------+-----------------
Reporter: dcf | Owner: dcf
Type: project | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
----------------------------------+-----------------
Let's Encrypt disabled the TLS-SNI challenge, which is the basis of the
[https://godoc.org/golang.org/x/crypto/acme/autocert autocert] package
that meek-server uses for automatic TLS certificates:
*
[https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241
tls-sni challenge disabled]
I've informed the public meek-server operators about this and asked that
they be ready with manual certificates in the short term.
The autocert package recently added support for the HTTP-01 challenge. It
requires the server to listen on port 80.
Further reading:
* [https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01
-and-shared-hosting-infrastructure/49996 2018.01.09 Issue with TLS-SNI-01
and Shared Hosting Infrastructure]
* [https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-
tls-sni-and-shared-hosting-infrastructure/50188 2018.01.11 Update
Regarding ACME TLS-SNI and Shared Hosting Infrastructure]
* [https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-
most-new-issuance/50316 TLS-SNI challenges disabled for most new issuance]
* https://twitter.com/bradfitz/status/951909513593958400
> Use the #golang autocert package? You need to update your code due to
@LetsEncrypt changes.
> You need to use this now:
https://godoc.org/golang.org/x/crypto/acme/autocert#Manager.HTTPHandler
> See the example: https://godoc.org/golang.org/x/crypto/acme/autocert
#example-Manager
> Everybody's sorry. Tears all around. 😢
* [https://github.com/golang/go/issues/21890 x/crypto/acme/autocert:
Support http-01 challenge (GitHub #21890)]
*
[https://github.com/golang/crypto/commit/13931e22f9e72ea58bb73048bc752b48c6d4d4ac
#diff-5738396ae12462da1c47c2f0f4bb8096 acme/autocert: support http-01
challenge type]
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24928>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs