feat: add auto-tls service #2798
Conversation
Adds an optional service that requests a Let's Encrypt-style TLS certificate when publicly dialable addresses are detected. This will allow transports such as WebSockets to upgrade themselves to be the secure version.
| yamux() | ||
| ], | ||
| services: { | ||
| autoTLS: autoTLS(), |
There was a problem hiding this comment.
Need to add identify as per instructions
| this.privateKey = components.privateKey | ||
| this.peerId = components.peerId | ||
| this.events = components.events | ||
| this.forgeEndpoint = init.forgeEndpoint ?? 'registration.libp2p.direct' |
There was a problem hiding this comment.
Endpoint implies a URL with path, no?
Also I'd suggest moving these defaults into a constants file.
There was a problem hiding this comment.
The path is /v1/_acme-challenge - I omitted the path here to prevent people specifying /v2/_acme-challenge and expecting it to work.
We could make them add https:// on the front if you think it's more intuitive, otherwise I guess we should add a note that the /v1/.. bit will be appended?
| const domain = `${base36EncodedPeer}.${this.forgeDomain}` | ||
|
|
||
| // Create CSR | ||
| const [certificatePrivateKey, csr] = await acmeClient.forge.createCsr({ |
There was a problem hiding this comment.
What's the reason for using the legacy forge interface which is deprecated?
There was a problem hiding this comment.
No reason, just stopped at the first thing that worked. TBH I wanted to use @peculiar/acme-client as we have other @peculiar/... deps in the tree but couldn't get it to work in the time I was looking at it.
| altNames: [] | ||
| }) | ||
|
|
||
| const accountPrivateKey = await acmeClient.forge.createPrivateKey() |
There was a problem hiding this comment.
Do we need to store the private keys and certificate in the store for renewals and persistence after restarts?
There was a problem hiding this comment.
I couldn't see a "renew"-type operation in the API so I guess not, unless I've missed something.
I do want to add storing the cert/key in the datastore so we can re-use it after a restart as they are quite long-lived.
There was a problem hiding this comment.
Indeed, there's isn't a a renew operation. It's the same process, except that you can reuse the CSR and account key (IIUC).
| // TODO: handle rate limit errors like "too many new registrations (10) from this IP address in the last 3h0m0s, retry after 2024-11-01 09:22:38 UTC: see https://letsencrypt.org/docs/rate-limits/#new-registrations-per-ip-address" | ||
|
|
||
| const base36EncodedPeer = base36.encode(this.peerId.toCID().bytes) | ||
| const domain = `${base36EncodedPeer}.${this.forgeDomain}` |
There was a problem hiding this comment.
Need to be a wildcard:
| const domain = `${base36EncodedPeer}.${this.forgeDomain}` | |
| const domain = `*.${base36EncodedPeer}.${this.forgeDomain}` |
Adds an optional service that requests a Let's Encrypt-style TLS certificate when publicly dialable addresses are detected.
This will allow transports such as WebSockets to upgrade themselves to be the secure version.
Change checklist