AutoTLS: attempts to get cert when not publicly diallable

[lidel]

Version

0.32.0-rc1

Config

{
"AutoTLS": {
    "Enabled": true
  },
"Addresses": {
    "API": "/ip4/127.0.0.1/tcp/5701",
    "Announce": [],
    "AppendAnnounce": [],
    "Gateway": "/ip4/127.0.0.1/tcp/8780",
    "NoAnnounce": [],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4071",
      "/ip6/::/tcp/4071",
      "/ip4/0.0.0.0/tcp/4072/tls/sni/*.libp2p.direct/ws",
      "/ip4/0.0.0.0/udp/4071/webrtc-direct",
      "/ip4/0.0.0.0/udp/4071/quic-v1",
      "/ip4/0.0.0.0/udp/4071/quic-v1/webtransport",
      "/ip6/::/udp/4071/webrtc-direct",
      "/ip6/::/udp/4071/quic-v1",
      "/ip6/::/udp/4071/quic-v1/webtransport"
    ]
  },
...

Description

Example 1, error due to solving challenges: presenting for challenge: no public address found:

2024-11-04T20:45:28.283+0100	INFO	autotls.acme_client	[email protected]/client.go:404	trying to solve challenge	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024-11-04T20:45:36.324+0100	DEBUG	autotls.acme_client	acme/http.go:275	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/425608111597", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2038430587"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 04 Nov 2024 19:45:36 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["yiS4Q9ue15rzi_h41L_gI6UhRmR95FOK2XBx4z7cpj9DQfwyXEE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024-11-04T20:45:36.324+0100	ERROR	autotls.obtain	[email protected]/config.go:639	could not get certificate from issuer	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024-11-04T20:45:36.324+0100	ERROR	autotls.obtain	[email protected]/async.go:117	will retry	{"error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] Obtain: [*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 9.413219385, "max_duration": 2592000}
2024-11-04T20:46:36.326+0100	INFO	autotls.obtain	[email protected]/config.go:555	obtaining certificate	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct"}

Problem

when behind NAT, we do not delay the initial registration attempt until a publicly dialable address is present. We should avoid ERROR in logs when we know registration attempt would fail anyway, and delay until its safe.

Specific problems:

• do not attempt getting cert if we depend on /p2p-circuit addrs
• do not attempt getting cert if the only "public addr" is ipv6 blocked by firewall

[lidel]

Minimal check discussed in ipshipyard/p2p-forge@5157ed9 / ipshipyard/p2p-forge#4 (comment)