Automatically fetch certificates from Let's Encrypt.

This removes the --tls-cert and --tls-keys options and replaces them with --acme-hostname and (optional) --acme-email. It uses https://godoc.org/golang.org/x/crypto/acme/autocert, which is kind of a successor to https://godoc.org/rsc.io/letsencrypt. The autocert package only works when the listener runs on port 443. For that reason, if TOR_PT_SERVER_BINDADDR asks for a port other than 443, the program will open an *additional* listening port on 443. If there is an error opening the listener, it is reported through an SMETHOD-ERROR for the requested address. The inspiration for this code came from George Tankersley's patch for meek-server: https://bugs.torproject.org/18655#comment:8 https://github.com/gtank/meek/tree/letsencrypt
2025-10-13 20:11:19 -04:00 · 2017-01-18 19:19:26 -08:00 · 2017-01-18 19:19:26 -08:00 · 61310600c3
commit 61310600c3
parent af70d49e96
2 changed files with 50 additions and 24 deletions
--- a/server/torrc
+++ b/server/torrc
@ -5,5 +5,5 @@ SocksPort 0
 ExitPolicy reject *:*
 DataDirectory datadir

-ServerTransportListenAddr snowflake 0.0.0.0:9902
-ServerTransportPlugin snowflake exec ./server --disable-tls --log snowflake.log
+ServerTransportListenAddr snowflake 0.0.0.0:443
+ServerTransportPlugin snowflake exec ./server --acme-hostnames snowflake.example --acme-email admin@snowflake.example --log snowflake.log