tls-alpn-01 challenge support

[dholth]

This is the simplest possible acme-tls/1 responder for txsni.

To use, get the dehydrated shell script, configure ~/etc/dehydrated/ with config (set BASEDIR) and domains.txt (list of domains), run authbind twist web --port acmesni:~/etc/dehydrated:tcp6:443, and run dehydrated -c --force in the ~/etc/dehydrated/ folder. For testing it's a good idea to use a separate -staging directory and config to avoid running against letsencrypt rate limits.

It also has a couple of unicode fixes.

Tested in pypy 3.6.1 version 7.0.0-alpha0

[codecov-io]

Codecov Report

Merging #28 into master will increase coverage by 1.69%. The diff coverage is 96.83%.

@@            Coverage Diff             @@
##           master      #28      +/-   ##
==========================================
+ Coverage      95%   96.69%   +1.69%     
==========================================
  Files           6        7       +1     
  Lines         400      545     +145     
  Branches       28       45      +17     
==========================================
+ Hits          380      527     +147     
+ Misses         12       11       -1     
+ Partials        8        7       -1

Impacted Files	Coverage Δ
txsni/parser.py	100% <100%> (ø)	:arrow_up:
txsni/test/certs/cert_builder.py	97.97% <100%> (+0.68%)	:arrow_up:
txsni/certmaps.py	91.66% <91.66%> (ø)
txsni/snimap.py	93.33% <92.3%> (+4.33%)	:arrow_up:
txsni/test/test_txsni.py	98.26% <98.48%> (+0.04%)	:arrow_up:
txsni/only_noticed_pypi_pem_after_i_wrote_this.py	93.54% <0%> (+6.45%)	:arrow_up:

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 5014c14...f016940. Read the comment docs.

[dholth]

Fixes #20, #25, #27

[dholth]

It might be helpful to think of this code as only doing the same job as http port 80 for the http-01 http:///.well-known/acme-challenge/ challenge type. Most of the ACME protocol is elsewhere, and this is quite useful without txacme.

txacme would build on top of txsni by pausing an incoming request, putting the special acme certificate in SNIMap.acme_mapping, having letsencrypt fetch that certificate, and on success install the new certificate to continue with the original request. Everything letsencrypt-related except the challenge is the same as what txacme does now.

I've tried to make the certificate loaders more generic. They probably work with more than just dehydrated. They are like HostDirectoryMap but they load the certificate from two files. Do they need to be underscored if HostDirectoryMap is not? It was not clear quite which code that comment was about.

[dholth]

I've improved the test coverage and lo and behold found bugs, like "empty dict is falsy".

It looks like the CI is using a pretty old version of pypy. Tests pass over here on python 2 and 3 versions of pypy 7.

[glyph]

Oops. I tried turning on codacy as an experiment, it's not supposed to be gating PRs like this.

[glyph]

Thanks for your responses!

[mithrandi]

What's the status of this branch?

[dholth]

I stopped working on it and explored other acme server implementations.

On Thu, Feb 27, 2020, at 10:55 AM, Tristan Seligmann wrote:

What's the status of this branch?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/glyph/txsni/pull/28?email_source=notifications&email_token=AABSZESJ6YFQ3HHPJMFJI6DRE7O55A5CNFSM4HAWH34KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENE3KDI#issuecomment-592033037, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABSZEUOOA73KHC3QGGE7HDRE7O55ANCNFSM4HAWH34A.