-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
send different certificate if acme-tls/1 negotated with alpn #26
Conversation
fixes #25 |
Codecov Report
@@ Coverage Diff @@
## master #26 +/- ##
========================================
- Coverage 95% 94.2% -0.8%
========================================
Files 6 6
Lines 400 414 +14
Branches 28 30 +2
========================================
+ Hits 380 390 +10
- Misses 12 15 +3
- Partials 8 9 +1
Continue to review full report at Codecov.
|
It's unfortunate that we have to choose a certificate for our hostname before we can immediately switch to the acme one |
How dehydrated stores its certificates. letsencrypt doesn't agree with us yet, saying "detail": "remote error: tls: no application protocol"
|
It at least works if the alpn certificate is the only one. |
I've cracked it. We already use bio so Python sees all the bytes, and we already proxy Connection. Trap the first call to bio to search for alpn in the first packet, if True load certificates from a different directory during SNI. Cheesy! |
will replace |
@dholth What replaced this? |
… On Sat, Aug 3, 2019, at 6:24 PM, Glyph wrote:
@dholth <https://github.com/dholth> What replaced this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#26?email_source=notifications&email_token=AABSZEUUI5QEXQU6AYZEWJDQCYAQFA5CNFSM4HASGI52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3PWXOA#issuecomment-517958584>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABSZEWWCSQVVW5Q4OY5ELTQCYAQFANCNFSM4HASGI5Q>.
|
Thanks. |
As you probably know letsencrypt requires alpn negotiation instead of just SNI these days.
This change intercepts alpn negotiation so that acme-tls/1 is always used if the client supports it. Then txsni chooses certificates from a second mapping, currently just an alpn/ directory underneath the default mapping, to use for that connection. When letsencrypt sees that special cert it knows you control the domain.
So if you have already generated the special certificate and placed it in acme/hostname.pem, txsni will be able to make letsencrypt happy. Then your ACME client can finish issuing you a new cert.
I expect to use this with dehydrated, the shell script acme client, and possibly with a new mapping object that can do dehydrated's separate key / cert layout. There's not enough here for txsni's "even the first request succeeds after waiting for the new certificate" but it should be really handy for development.