Let me know if you're able to try getting a https certificate in this way: Using tls-alpn-01 negotiation with txsni (acme branch) and the dehydrated letsencrypt client:
Install txsni (acme branch): pip install git+https://github.com/dholth/txsni@acme#egg=txsni Unpack dehydrated acme client shell script from https://dehydrated.io/ Make and enter config directory: mkdir -p ~/etc/dehydrated cd ~/etc/dyhydrated Use acmesni to listen on port 443: authbind twist web --listen acmesni:~/etc/dehydrated:tcp6:443 & Make config file: echo CHALLENGETYPE="tls-alpn-01" > config Create letsencrypt account: dehydrated --register --accept-terms Request certificate (replace example.com with your fqnd): dehydrated -c -d example.com Letsencrypt should request a special certificate from the twisted web server to prove domain control, and then dehydrated installs the new certificate for 'example.com' in ~/etc/dehydrated/certs/... https://example.com will be ready to go. Authbind, to listen on privileged ports in linux without root: (install authbind); touch /etc/authbind/byport/{80,443}; chown <username> /etc/authbind/byport/*; chmod u+x /etc/authbind/byport/* On Sun, Mar 24, 2019 at 9:17 PM Daniel Holth <dho...@gmail.com> wrote: > > Do move it to twisted. I was surprised it wasn't already there. > > On Sun, Mar 24, 2019, 17:39 Glyph <gl...@twistedmatrix.com> wrote: >> >> Thanks! I put some review comments on it. I would encourage others with >> interest in this area to have a look; I might not get back to this for a >> couple of weeks, but I'd be happy to give people collaborator permissions on >> the repo if they'd like to help out. >> >> (Frankly it's probably time that this project grew up and moved over to the >> Twisted org anyway, given that txacme depends on it...) >> >> -g >> >> On Mar 24, 2019, at 1:59 PM, Daniel Holth <dho...@gmail.com> wrote: >> >> Pull request for txsni acme https://github.com/glyph/txsni/pull/28 >> >> On Sun, Mar 24, 2019, 16:33 Glyph <gl...@twistedmatrix.com> wrote: >>> >>> Any chance you could include a link to the relevant PR? Pulling this out >>> of the raging tire-fire of my Github notifications would take an >>> unfortunately non-trivial amount of time - and I imagine that not everyone >>> subscribed might even be on the appropriate repos :). >>> >>> -g >>> >>> On Mar 24, 2019, at 9:26 AM, Daniel Holth <dho...@gmail.com> wrote: >>> >>> The cleaned up pull request should be really easy to try, with a >>> dehydrated:(basedir) string port. Go get some certs people! >>> >>> On Sun, Mar 24, 2019, 00:55 Glyph <gl...@twistedmatrix.com> wrote: >>>> >>>> I think ACME_TLS_1 is a sufficiently high-entropy string that the >>>> likelihood of brokenness from this approach is basically zero. >>>> >>>> -g >>>> >>>> On Mar 23, 2019, at 9:20 PM, Daniel Holth <dho...@gmail.com> wrote: >>>> >>>> All we have to do is have some kind of per connection certificate store or >>>> flag. If acme is in the first packet and the special certificate exists, >>>> send it. Otherwise send the normal certificate, for a very short window of >>>> possible brokenness. Letsencrypt may or may not require correct alpn >>>> negotiation. Should be simple. >>>> >>>> I'm happy running the acme client separately and listing my domain instead >>>> of doing it all on demand inside twisted. >>>> >>>> >>>> On Sat, Mar 23, 2019, 23:59 Glyph <gl...@twistedmatrix.com> wrote: >>>>> >>>>> >>>>> >>>>> > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dho...@gmail.com> wrote: >>>>> > >>>>> > HOLY REGEX BATMAN >>>>> > >>>>> > class _ConnectionProxy(object): >>>>> > >>>>> > def bio_write(self, buf): >>>>> > if ACME_TLS_1 in buf: >>>>> > self.acme_tls_1 = True >>>>> > self.bio_write = self._obj.bio_write >>>>> > return self._obj.bio_write(buf) >>>>> > Now we can choose the acme certificate store in the sni callback and >>>>> > make letsencrypt happy! >>>>> >>>>> 1. Gross >>>>> 2. Hooray! >>>>> >>>>> -g >>>>> >>>>> _______________________________________________ >>>>> Twisted-Python mailing list >>>>> Twisted-Python@twistedmatrix.com >>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>>> >>>> _______________________________________________ >>>> Twisted-Python mailing list >>>> Twisted-Python@twistedmatrix.com >>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>>> >>>> >>>> _______________________________________________ >>>> Twisted-Python mailing list >>>> Twisted-Python@twistedmatrix.com >>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>> >>> _______________________________________________ >>> Twisted-Python mailing list >>> Twisted-Python@twistedmatrix.com >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>> >>> >>> _______________________________________________ >>> Twisted-Python mailing list >>> Twisted-Python@twistedmatrix.com >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python