[Twisted-Python] txsni + alpn + acme (letsencrypt)

Daniel Holth dholth at gmail.com
Tue Apr 2 08:29:15 MDT 2019 

Let me know if you're able to try getting a https certificate in this way:

Using tls-alpn-01 negotiation with txsni (acme branch) and the
dehydrated letsencrypt client:

Install txsni (acme branch):

pip install git+https://github.com/dholth/txsni@acme#egg=txsni

Unpack dehydrated acme client shell script from https://dehydrated.io/

Make and enter config directory:

mkdir -p ~/etc/dehydrated

cd ~/etc/dyhydrated

Use acmesni to listen on port 443:

authbind twist web --listen acmesni:~/etc/dehydrated:tcp6:443 &

Make config file:

echo CHALLENGETYPE="tls-alpn-01" > config

Create letsencrypt account:

dehydrated --register --accept-terms

Request certificate (replace example.com with your fqnd):

dehydrated -c -d example.com


Letsencrypt should request a special certificate from the twisted web
server to prove domain control, and then dehydrated installs the new
certificate for 'example.com' in ~/etc/dehydrated/certs/...
https://example.com will be ready to go.


Authbind, to listen on privileged ports in linux without root:

(install authbind); touch /etc/authbind/byport/{80,443}; chown
<username> /etc/authbind/byport/*; chmod u+x /etc/authbind/byport/*

On Sun, Mar 24, 2019 at 9:17 PM Daniel Holth <dholth at gmail.com> wrote:
>
> Do move it to twisted. I was surprised it wasn't already there.
>
> On Sun, Mar 24, 2019, 17:39 Glyph <glyph at twistedmatrix.com> wrote:
>>
>> Thanks! I put some review comments on it.  I would encourage others with interest in this area to have a look; I might not get back to this for a couple of weeks, but I'd be happy to give people collaborator permissions on the repo if they'd like to help out.
>>
>> (Frankly it's probably time that this project grew up and moved over to the Twisted org anyway, given that txacme depends on it...)
>>
>> -g
>>
>> On Mar 24, 2019, at 1:59 PM, Daniel Holth <dholth at gmail.com> wrote:
>>
>> Pull request for txsni acme https://github.com/glyph/txsni/pull/28
>>
>> On Sun, Mar 24, 2019, 16:33 Glyph <glyph at twistedmatrix.com> wrote:
>>>
>>> Any chance you could include a link to the relevant PR?  Pulling this out of the raging tire-fire of my Github notifications would take an unfortunately non-trivial amount of time - and I imagine that not everyone subscribed might even be on the appropriate repos :).
>>>
>>> -g
>>>
>>> On Mar 24, 2019, at 9:26 AM, Daniel Holth <dholth at gmail.com> wrote:
>>>
>>> The cleaned up pull request should be really easy to try, with a dehydrated:(basedir) string port. Go get some certs people!
>>>
>>> On Sun, Mar 24, 2019, 00:55 Glyph <glyph at twistedmatrix.com> wrote:
>>>>
>>>> I think ACME_TLS_1 is a sufficiently high-entropy string that the likelihood of brokenness from this approach is basically zero.
>>>>
>>>> -g
>>>>
>>>> On Mar 23, 2019, at 9:20 PM, Daniel Holth <dholth at gmail.com> wrote:
>>>>
>>>> All we have to do is have some kind of per connection certificate store or flag. If acme is in the first packet and the special certificate exists, send it. Otherwise send the normal certificate, for a very short window of possible brokenness. Letsencrypt may or may not require correct alpn negotiation. Should be simple.
>>>>
>>>> I'm happy running the acme client separately and listing my domain instead of doing it all on demand inside twisted.
>>>>
>>>>
>>>> On Sat, Mar 23, 2019, 23:59 Glyph <glyph at twistedmatrix.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> > On Mar 23, 2019, at 4:06 PM, Daniel Holth <dholth at gmail.com> wrote:
>>>>> >
>>>>> > HOLY REGEX BATMAN
>>>>> >
>>>>> > class _ConnectionProxy(object):
>>>>> >
>>>>> >    def bio_write(self, buf):
>>>>> >        if ACME_TLS_1 in buf:
>>>>> >            self.acme_tls_1 = True
>>>>> >        self.bio_write = self._obj.bio_write
>>>>> >        return self._obj.bio_write(buf)
>>>>> > Now we can choose the acme certificate store in the sni callback and
>>>>> > make letsencrypt happy!
>>>>>
>>>>> 1. Gross
>>>>> 2. Hooray!
>>>>>
>>>>> -g
>>>>>
>>>>> _______________________________________________
>>>>> Twisted-Python mailing list
>>>>> Twisted-Python at twistedmatrix.com
>>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>>
>>>> _______________________________________________
>>>> Twisted-Python mailing list
>>>> Twisted-Python at twistedmatrix.com
>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>>
>>>>
>>>> _______________________________________________
>>>> Twisted-Python mailing list
>>>> Twisted-Python at twistedmatrix.com
>>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>>
>>>
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com
>>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

More information about the Twisted-Python mailing list