go-libp2p icon indicating copy to clipboard operation
go-libp2p copied to clipboard

Published 20 hours ago verified publisher icon libp2p

Universal Browser Connectivity using HTTPS/Secure Websockets

Open marten-seemann opened this issue 3 years ago • 4 comments

Every (public) node should have a Subdomain and a trusted TLS certificate, so that browser nodes can connect using /wss (Secure WebSockets transport).

We will support manual certificate configuration, and ACME automation for user’s domain names (see #1331 for details), but these setups require some manual step/input from the user.

Here, we discuss a protocol for providing TLS cert for /wss for all remaining nodes in a way that happens automatically, without user’s involvement.

Obtaining a Certificate using the DNS01 ACME Challenge

For the purpose of this discussion, let’s assume that we have one PL-controlled "gatekeeper" node that has (programmatic) access to the DNS configuration of libp2p.direct (or some other domain).

  1. The gatekeeper node is run by PL and has a fixed DNS name, e.g.dns.libp2p.direct.
  2. When a node wants to get a certificate, it requests a subdomain name from the gatekeeper.
  3. The gatekeeper then generates a new subdomain: <subdomain>.libp2p.direct.
    • TBD: this could be a random string, or a certain encoding of the peer ID.
  4. The node then runs its ACME client and requests a DNS-01 challenge from LE. It forwards the ACME challenge to the gatekeeper via a yet-to-defined libp2p protocol.
  5. The gatekeeper verifies the ACME challenge (i.e. checks the subdomain, that it is well-formed, etc.) and publishes the TXT record. It un-publishes the TXT record when the ACME challenge is done, or after the expiration of a short timer (10 minutes?).
  6. LE now issues a certificate directly to the nodes’ ACME client.
  7. The node can now advertise <ip-multiaddr>.<subdomain>.libp2p.direct. Our DNS resolver makes sure that this resolves to <ip>.

Steps

  • [x] implement a DNS server that can
    • resolve ..libp2p.directto`
    • programmatically set the TXT records for the ACME challenge
    • Done in: https://github.com/marten-seemann/wildcard-dns
  • [ ] coordinate with LetsEncrypt (or ZeroSSL) that we can get an unlimited number of wildcard certificates for subdomains of libp2p.direct
  • [ ] transfer ownership of libp2p.direct to the infrastructure team (earliest possible date: Apr 24)
  • [ ] specify and implement a libp2p protocol to request a subdomain from the gatekeeper and to set TXT records
  • [ ] integrate into go-ws-transport, so we can use and advertise /wss addresses

marten-seemann avatar Mar 17 '22 08:03 marten-seemann

I've requested the Pathfinder team at PL to contact @marten-seemann about transferring the domain

thattommyhall avatar Apr 26 '22 04:04 thattommyhall

Closing, since we now have WebTransport and that's 100x better than WebSocket. Specifically, it doesn't require any DNS setup.

marten-seemann avatar May 11 '23 08:05 marten-seemann