[tor-dev] Using Let's Encrypt for meek bridges

George Tankersley george.tankersley at gmail.com
Sat Apr 9 00:28:45 UTC 2016


> I'm looking for ideas of good ways to handle TLS certificates and their
> renewal for meek bridges. I want to use Let's Encrypt for this process,
> and I hope that someone who knows Let's Encrypt well can contribute some
> ideas.

> ideally not requiring new complicated code in meek-server itself

If you're OK with some amount of new code, there are Go client libraries
that might be sufficiently flexible:

- https://github.com/xenolf/lego
-
https://ericchiang.github.io/go/tls/lets/encrypt/letsencrypt/2015/11/13/a-letsencrypt-client-for-go.html

I'll give this a try soon if you haven't already.

On Fri, Mar 25, 2016 at 1:54 PM, David Fifield <david at bamsoftware.com>
wrote:

> I'm looking for ideas of good ways to handle TLS certificates and their
> renewal for meek bridges. I want to use Let's Encrypt for this process,
> and I hope that someone who knows Let's Encrypt well can contribute some
> ideas.
>
> All three of the meek bridges use HTTPS to receive connections from the
> CDN, so they need TLS certificates. For example, when you use
> meek-azure, your traffic is forwarded to the bridge at
> https://meek.bamsoftware.com/. How it works now is I do the usual domain
> validation procedure with a CA, receive an email to show that I control
> the domain, install the cert and key, and then run the server like this:
>         meek-server --cert /etc/meek/cert.pem --key /etc/meek/key.pem
>
> When I used Let's Encrypt in the past, using the --webroot option, it
> wanted to write a file to the URL path
> "/.well-known/acme-challenge/{token}".
> That won't work for meek-server as it exists today, because meek-server
> never serves files from the filesystem. But it could. Perhaps we could
> add an option like --acme-webroot that would allow serving files from a
> single whitelisted directory.
>
> I notice that there are other ways of proving domain ownership (HTTP,
> TLS SNI, DNS). Maybe we could use one of those?
> https://ietf-wg-acme.github.io/acme/#identifier-validation-challenges
>
> I also note that there are third-party plugins:
> https://github.com/letsencrypt/letsencrypt/wiki/Plugins
> Maybe there could be a plugin for meek-server (ideally not requiring new
> complicated code in meek-server itself).
>
> Currently you have to restart meek-server in order to make it notice a
> changed certificate and key file. It would be better if that were not
> necessary--maybe we could periodically stat the files, and re-load them
> if they have changed?
>
> This is going to be an issue for Snowflake as well, because we will want
> to use WebSocket over TLS for the server component.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160408/d3a28ee7/attachment.html>


More information about the tor-dev mailing list