vac:p2p:ift:2025q2-nimlibp2p-autotls

Implement a process that automates the issuance of Let’s Encrypt wilcard TLS certificates for nim-libp2p nodes. This would enable reliable browser-based clients to connect to libp2p nodes, regardless of the network topology which improves resilience and opens up a window to more capable browser clients. This task is limited to the client functionality; Server functionality could be implemented on a separate commitment. AutoTLS

Task List

ACME registration

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:acme-registration
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Register new account on ACME server

Deliverables

  • Generate key
  • Register to ACME server using generated key

Challenge request

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:certificate-request-challenge
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Request challenge from the ACME server (typically Let’s Encrypt)

Deliverables

  • Base36 encode our peerId
  • Send certificate request for *.{base36PeerId}.libp2p.direct domain

Notify AutoTLS broker

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:notify-autotls-broker
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Send DNS-01 challenge received from ACME server to the AutoTLS broker (registration.libp2p.direct)

Deliverables

  • Authenticate with AutoTLS broker using PeerId Auth
  • Send DNS-01 challenge to AutoTLS broker
  • Successfully receive and respond to a dial from AutoTLS broker
  • Query the broker’s DNS registry until the TXT _acme-challenge.{peerID}.libp2p.direct record is set

Notify challenge completion

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:notify-challenge-completion
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Notify the ACME server that we’re done with DNS-01 challenge

Deliverables

  • Send message to ACME server notifying that we’re ready to be test
  • Query the ACME server until it responds saying the challenge was fulfilled

Finalize certificate

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:finalize-cert
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Finalize certificate issuance with CSR

Deliverables

  • Generate CSR
  • Send finalize message with CSR to ACME server
  • Download certificate from ACME server

Certificate installation

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:cert-installation
  • owner: gabriel
  • status: 0%
  • start-date: 2025-04-14
  • end-date:

Description

Install generated certificate and use it in TCP/WS/WSSS/Quic/Webtransport

Deliverables

  • Install certificate

Certificate renewal

  • fully qualified name: vac:p2p:ift:2025q2-nimlibp2p-autotls:cert-renewal
  • owner: gabriel
  • status: 95%
  • start-date: 2025-04-14
  • end-date:

Description

Renew certificate before it expires

Deliverables

  • Send a request for the same certificate to the ACME server