I was able to figure out the tests, and improve coverage in txsni. On Tue, Apr 2, 2019 at 10:29 AM Daniel Holth <dho...@gmail.com> wrote: > > Let me know if you're able to try getting a https certificate in this way: > > Using tls-alpn-01 negotiation with txsni (acme branch) and the > dehydrated letsencrypt client: > > Install txsni (acme branch): > > pip install git+https://github.com/dholth/txsni@acme#egg=txsni > > Unpack dehydrated acme client shell script from https://dehydrated.io/ > > Make and enter config directory: > > mkdir -p ~/etc/dehydrated > > cd ~/etc/dyhydrated > > Use acmesni to listen on port 443: > > authbind twist web --listen acmesni:~/etc/dehydrated:tcp6:443 & > > Make config file: > > echo CHALLENGETYPE="tls-alpn-01" > config > > Create letsencrypt account: > > dehydrated --register --accept-terms > > Request certificate (replace example.com with your fqnd): > > dehydrated -c -d example.com > > > Letsencrypt should request a special certificate from the twisted web > server to prove domain control, and then dehydrated installs the new > certificate for 'example.com' in ~/etc/dehydrated/certs/... > https://example.com will be ready to go. > > > Authbind, to listen on privileged ports in linux without root: > > (install authbind); touch /etc/authbind/byport/{80,443}; chown > <username> /etc/authbind/byport/*; chmod u+x /etc/authbind/byport/* > > On Sun, Mar 24, 2019 at 9:17 PM Daniel Holth <dho...@gmail.com> wrote: > > > > Do move it to twisted. I was surprised it wasn't already there. > > > > On Sun, Mar 24, 2019, 17:39 Glyph <gl...@twistedmatrix.com> wrote: > >> > >> Thanks! I put some review comments on it. I would encourage others with > >> interest in this area to have a look; I might not get back to this for a > >> couple of weeks, but I'd be happy to give people collaborator permissions > >> on the repo if they'd like to help out. > >> > >> (Frankly it's probably time that this project grew up and moved over to > >> the Twisted org anyway, given that txacme depends on it...) > >> > >> -g > >> > >> On Mar 24, 2019, at 1:59 PM, Daniel Holth <dho...@gmail.com> wrote: > >> > >> Pull request for txsni acme https://github.com/glyph/txsni/pull/28 > >> > >> On Sun, Mar 24, 2019, 16:33 Glyph <gl...@twistedmatrix.com> wrote: > >>> > >>> Any chance you could include a link to the relevant PR? Pulling this out > >>> of the raging tire-fire of my Github notifications would take an > >>> unfortunately non-trivial amount of time - and I imagine that not > >>> everyone subscribed might even be on the appropriate repos :). > >>> > >>> -g > >>> > >>> On Mar 24, 2019, at 9:26 AM, Daniel Holth <dho...@gmail.com> wrote: > >>> > >>> The cleaned up pull request should be really easy to try, with a > >>> dehydrated:(basedir) string port. Go get some certs people! > >>> > >>> On Sun, Mar 24, 2019, 00:55 Glyph <gl...@twistedmatrix.com> wrote: > >>>> > >>>> I think ACME_TLS_1 is a sufficiently high-entropy string that the > >>>> likelihood of brokenness from this approach is basically zero. > >>>> > >>>> -g > >>>> > >>>> On Mar 23, 2019, at 9:20 PM, Daniel Holth <dho...@gmail.com> wrote: > >>>> > >>>> All we have to do is have some kind of per connection certificate store > >>>> or flag. If acme is in the first packet and the special certificate > >>>> exists, send it. Otherwise send the normal certificate, for a very short > >>>> window of possible brokenness. Letsencrypt may or may not require > >>>> correct alpn negotiation. Should be simple. > >>>> > >>>> I'm happy running the acme client separately and listing my domain > >>>> instead of doing it all on demand inside twisted. > >>>> > >>>> > >>>> On Sat, Mar 23, 2019, 23:59 Glyph <gl...@twistedmatrix.com> wrote: > >>>>> > >>>>> > >>>>> > >>>>> > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dho...@gmail.com> wrote: > >>>>> > > >>>>> > HOLY REGEX BATMAN > >>>>> > > >>>>> > class _ConnectionProxy(object): > >>>>> > > >>>>> > def bio_write(self, buf): > >>>>> > if ACME_TLS_1 in buf: > >>>>> > self.acme_tls_1 = True > >>>>> > self.bio_write = self._obj.bio_write > >>>>> > return self._obj.bio_write(buf) > >>>>> > Now we can choose the acme certificate store in the sni callback and > >>>>> > make letsencrypt happy! > >>>>> > >>>>> 1. Gross > >>>>> 2. Hooray! > >>>>> > >>>>> -g > >>>>> > >>>>> _______________________________________________ > >>>>> Twisted-Python mailing list > >>>>> Twisted-Python@twistedmatrix.com > >>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >>>> > >>>> _______________________________________________ > >>>> Twisted-Python mailing list > >>>> Twisted-Python@twistedmatrix.com > >>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >>>> > >>>> > >>>> _______________________________________________ > >>>> Twisted-Python mailing list > >>>> Twisted-Python@twistedmatrix.com > >>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >>> > >>> _______________________________________________ > >>> Twisted-Python mailing list > >>> Twisted-Python@twistedmatrix.com > >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >>> > >>> > >>> _______________________________________________ > >>> Twisted-Python mailing list > >>> Twisted-Python@twistedmatrix.com > >>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >> > >> _______________________________________________ > >> Twisted-Python mailing list > >> Twisted-Python@twistedmatrix.com > >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >> > >> > >> _______________________________________________ > >> Twisted-Python mailing list > >> Twisted-Python@twistedmatrix.com > >> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python