AutoTLS Integration Action Plan for py-libp2p

[Fatumayattani]

AutoTLS Integration Action Plan for py-libp2p

Related Issue: #555

Hi everyone

This is a proposed action plan for adding AutoTLS support to py-libp2p to make TLS configuration seamless, automated, and aligned with what’s already available in go-libp2p and js-libp2p.

The goal is to introduce a modular AutoTLS layer that supports both ephemeral self-signed certificates (for quick dev and test setups) and ACME/Let’s Encrypt certificates for production environments.

---

Proposed File & Module Structure

libp2p/security/tls/
├── autotls/
│   ├── __init__.py
│   ├── manager.py         
│   ├── acme_client.py     
│   ├── cache.py           
│   ├── config.py          
│   └── utils.py           
├── transport.py          

---

Core Functional Components

1. AutoTLS Manager (manager.py)

• Handles ephemeral self-signed cert generation.
• Tracks expiry and triggers renewal.
• Exposes a simple interface to the TLS transport.
• Keeps everything developer-friendly by default.

2. ACME Client (acme_client.py)

• Provides optional integration with Let’s Encrypt.
• Issues and renews certs automatically.
• Uses staging by default to avoid rate limits.
• ACME interaction is fully decoupled from the core transport.

3. Cache Layer (cache.py)

• Stores certs on disk or in memory.
• Handles cache expiry and renewal triggers.
• Prevents unnecessary regeneration.

4. Configuration (config.py)

• Centralizes all environment variables and defaults.

• Allows users to opt in to ACME or stay with ephemeral mode.

• Supports flags like:

  enable_autotls = True
  use_acme = False
  acme_directory_url = "https://acme-staging-v02.api.letsencrypt.org/directory"

5. Transport Integration (transport.py)

• Checks configuration flags.
• Initializes AutoTLS manager on startup.
• Injects the generated certs into the existing TLS handshake flow.
• Ensures no breaking change to manual TLS configuration.

---

Testing Strategy

tests/security/autotls/
├── test_autotls_manager.py
├── test_autotls_acme.py
└── test_autotls_integration.py

• Unit Tests

  • Ephemeral cert generation
  • Renewal flow
  • Cache read/write
  • ACME mock issuance and error handling

• Integration Tests

  • Launch a minimal libp2p host with AutoTLS enabled.
  • Test basic handshake and connection.
  • Verify cert renewal triggers correctly.

• Edge Cases

  • Expired cert handling
  • Invalid ACME configuration
  • Cache corruption or missing certs

---

Summary of the Plan

• Introduce AutoTLS inside the existing libp2p/security/tls/ layer.
• Keep ephemeral mode as the default for simplicity.
• Make ACME opt-in for production usage.
• Modular design ensures minimal changes to existing TLS code.
• Cover the full lifecycle (issue → cache → renew → integrate).
• Include robust testing and error handling from day one.

This plan is designed to deliver a complete and well-structured AutoTLS feature set while staying fully aligned with libp2p’s security design principles and the approaches used in other language implementations.

cc @seetadev @acul71 @pacrob @yashksaini-coder (collaborator)

[acul71]

@lla-dane

AutoTLS Improvements Based on go-libp2p Implementation

This document analyzes the go-libp2p AutoTLS implementation and suggests improvements for the Python implementation based on their approach.

Analysis of go-libp2p AutoTLS Implementation

Key Findings

1. Certificate Storage Architecture

go-libp2p Approach:

• Uses p2pforge library (external dependency: github.com/ipshipyard/p2p-forge/client)
• Leverages certmagic.FileStorage for certificate persistence
• Storage path: "p2p-forge-certs" directory (configurable)
• certmagic automatically manages:
  • Certificate files
  • Private keys
  • ACME account keys
  • Certificate metadata
  • Renewal state

Storage Structure (certmagic):

p2p-forge-certs/
├── acme/
│   ├── accounts/          # ACME account keys
│   └── challenges/        # Challenge state
├── certificates/          # Certificate files (PEM format)
│   └── <domain>/         # Organized by domain
│       ├── <domain>.crt  # Certificate
│       └── <domain>.key  # Private key
└── locks/                 # File locks for concurrent access

Key Characteristics:

• Organized by domain: Certificates stored in domain-specific subdirectories
• Automatic renewal: certmagic handles certificate renewal automatically
• Concurrent access: File locking prevents race conditions
• Persistence: All state persisted to disk for recovery after restarts

2. Identity Key Management

go-libp2p Approach:

const identityKeyFile = "identity.key"

// Load or generate identity
privKey, err := LoadIdentity(identityKeyFile)

// LoadIdentity checks if file exists, loads it, or generates new one
func LoadIdentity(keyPath string) (crypto.PrivKey, error) {
    if _, err := os.Stat(keyPath); err == nil {
        return ReadIdentity(keyPath)
    } else if os.IsNotExist(err) {
        return GenerateIdentity(keyPath)
    }
    return nil, err
}

// File permissions: 0400 (read-only for owner)
err = os.WriteFile(path, bytes, 0400)

Key Characteristics:

• Separate from certificates: Identity key stored independently
• Persistent: Same key reused across restarts
• Secure permissions: 0400 (owner read-only)
• Auto-generation: Creates new key if missing

3. Certificate Manager Lifecycle

go-libp2p Approach:

certManager, err := p2pforge.NewP2PForgeCertMgr(
    p2pforge.WithCAEndpoint(p2pforge.DefaultCATestEndpoint),
    p2pforge.WithCertificateStorage(&certmagic.FileStorage{Path: "p2p-forge-certs"}),
    p2pforge.WithLogger(rawLogger.Sugar().Named("autotls")),
    p2pforge.WithUserAgent(userAgent),
    p2pforge.WithRegistrationDelay(10*time.Second),
    p2pforge.WithOnCertLoaded(func() {
        certLoaded <- true
    }),
)

certManager.Start()
defer certManager.Stop()

// Provide host to cert manager - triggers AutoTLS flow
certManager.ProvideHost(h)

Key Characteristics:

• Explicit lifecycle: Start/Stop methods for clean shutdown
• Callback hooks: WithOnCertLoaded for async notification
• Configurable storage: Storage backend is pluggable
• Host integration: Cert manager receives host reference for connectivity checks

4. Network Reachability Integration

go-libp2p Approach:

• AutoTLS is guarded by connectivity check
• Only attempts certificate request when node emits event.EvtLocalReachabilityChanged with network.ReachabilityPublic
• Uses AutoNAT and Identify protocol to determine public reachability
• Prevents unnecessary ACME requests when node is behind NAT

Key Characteristics:

• Event-driven: Reacts to network state changes
• Public IP required: Only requests cert when publicly reachable
• Rate limit protection: Avoids hitting ACME rate limits unnecessarily

5. Certificate Usage Pattern

go-libp2p Approach:

• Certificates used primarily for WebSocket Secure (WSS) transport
• TLS configuration provided via certManager.TLSConfig()
• Certificate renewal handled automatically by certmagic
• No manual certificate loading required - certmagic manages everything

Suggested Improvements for Python Implementation

1. Structured Certificate Storage

Current Python Implementation:

• Certificates stored in working directory: autotls-cert.pem, autotls-key.pem
• Flat file structure
• No organization by domain or peer ID

Suggested Improvement:

# Proposed structure
AUTOTLS_STORAGE_DIR = Path("~/.libp2p/autotls") or Path("./autotls-certs")
AUTOTLS_STORAGE_DIR/
├── certificates/
│   └── {b36_peerid}/
│       ├── cert.pem
│       └── key.pem
├── acme/
│   ├── account.json      # ACME account info
│   └── orders/           # Order state
└── metadata.json         # Certificate metadata (expiry, domain, etc.)

Benefits:

• Organized by peer ID (b36_peerid)
• Supports multiple certificates per installation
• Easier to manage and clean up
• Matches certmagic's organizational pattern

Implementation Notes:

• Use pathlib.Path for cross-platform paths
• Create directory structure on first use
• Store metadata alongside certificates for quick lookup

2. Certificate Manager Class

Current Python Implementation:

• Certificate fetching logic embedded in BasicHost.initiate_autotls_procedure()
• No lifecycle management
• No renewal logic

Suggested Improvement:

class AutoTLSCertManager:
    """Manages AutoTLS certificate lifecycle, similar to go-libp2p's certManager."""
    
    def __init__(
        self,
        storage_path: Path | None = None,
        ca_endpoint: str = ACME_STAGING_ENDPOINT,
        on_cert_loaded: Callable[[], None] | None = None,
    ):
        self.storage_path = storage_path or self._default_storage_path()
        self.ca_endpoint = ca_endpoint
        self.on_cert_loaded = on_cert_loaded
        self._cert_cache: dict[str, tuple[Path, Path]] = {}  # b36_peerid -> (cert_path, key_path)
    
    def start(self) -> None:
        """Initialize certificate manager and load existing certificates."""
        self.storage_path.mkdir(parents=True, exist_ok=True)
        self._load_existing_certificates()
    
    def stop(self) -> None:
        """Clean shutdown of certificate manager."""
        # Cleanup if needed
        pass
    
    def get_certificate_paths(self, peer_id: ID) -> tuple[Path, Path] | None:
        """Get certificate and key paths for a peer ID."""
        b36_peerid = compute_b36_peer_id(peer_id)
        return self._cert_cache.get(b36_peerid)
    
    async def ensure_certificate(
        self,
        peer_id: ID,
        host: BasicHost,
        public_ip: str,
        port: int,
    ) -> tuple[Path, Path]:
        """Ensure certificate exists, fetching if necessary."""
        b36_peerid = compute_b36_peer_id(peer_id)
        
        # Check cache first
        if paths := self.get_certificate_paths(peer_id):
            if self._is_certificate_valid(paths[0]):
                return paths
        
        # Fetch new certificate
        return await self._fetch_certificate(peer_id, host, public_ip, port)
    
    def _default_storage_path(self) -> Path:
        """Get default storage path (home directory or current dir)."""
        home = Path.home()
        if home.exists():
            return home / ".libp2p" / "autotls"
        return Path("autotls-certs")

Benefits:

• Clean separation of concerns
• Reusable across different hosts
• Lifecycle management (start/stop)
• Certificate caching and validation
• Callback support for async notification

3. Certificate Metadata Storage

Current Python Implementation:

• No metadata stored
• Certificate validity checked by loading and parsing

Suggested Improvement:

@dataclass
class CertificateMetadata:
    """Metadata for an AutoTLS certificate."""
    b36_peerid: str
    domain: str
    cert_path: Path
    key_path: Path
    issued_at: datetime
    expires_at: datetime
    issuer: str  # "Let's Encrypt" or "Let's Encrypt (Staging)"
    serial_number: str | None = None
    
    def is_valid(self) -> bool:
        """Check if certificate is still valid."""
        now = datetime.now(timezone.utc)
        return self.issued_at <= now < self.expires_at
    
    def is_expiring_soon(self, threshold_hours: int = 24) -> bool:
        """Check if certificate expires within threshold."""
        now = datetime.now(timezone.utc)
        return (self.expires_at - now).total_seconds() < (threshold_hours * 3600)

class AutoTLSCertManager:
    def _load_metadata(self) -> dict[str, CertificateMetadata]:
        """Load certificate metadata from storage."""
        metadata_file = self.storage_path / "metadata.json"
        if not metadata_file.exists():
            return {}
        
        # Load and deserialize metadata
        # ...
    
    def _save_metadata(self, metadata: CertificateMetadata) -> None:
        """Save certificate metadata to storage."""
        # Update metadata.json
        # ...

Benefits:

• Quick validity checks without loading certificate
• Renewal scheduling based on expiry
• Audit trail of certificate issuance
• Easier debugging and troubleshooting

4. Automatic Certificate Renewal

Current Python Implementation:

• No renewal logic
• Certificates must be manually deleted to trigger re-fetch

Suggested Improvement:

class AutoTLSCertManager:
    async def _renewal_worker(self) -> None:
        """Background task to check and renew expiring certificates."""
        while self._running:
            await trio.sleep(3600)  # Check every hour
            
            metadata = self._load_metadata()
            now = datetime.now(timezone.utc)
            
            for b36_peerid, cert_meta in metadata.items():
                if cert_meta.is_expiring_soon(threshold_hours=24 * 7):  # 7 days
                    logger.info(f"Certificate for {b36_peerid} expiring soon, renewing...")
                    # Trigger renewal
                    # ...
    
    def start(self) -> None:
        """Initialize and start background tasks."""
        self._running = True
        self._load_existing_certificates()
        # Start renewal worker in background
        # ...

Benefits:

• Automatic renewal before expiry
• No manual intervention required
• Prevents certificate expiration
• Matches certmagic's automatic renewal

5. Network Reachability Integration

Current Python Implementation:

• Manual public IP extraction
• No reachability checks

Suggested Improvement:

class AutoTLSCertManager:
    def __init__(
        self,
        ...
        require_public_reachability: bool = True,
    ):
        self.require_public_reachability = require_public_reachability
        self._reachability_listener: Callable[[bool], None] | None = None
    
    def set_reachability_listener(
        self,
        listener: Callable[[bool], None]
    ) -> None:
        """Set callback for reachability changes."""
        self._reachability_listener = listener
    
    async def ensure_certificate(
        self,
        peer_id: ID,
        host: BasicHost,
        public_ip: str,
        port: int,
    ) -> tuple[Path, Path] | None:
        """Ensure certificate exists, but only if publicly reachable."""
        if self.require_public_reachability:
            if not await self._check_public_reachability(host):
                logger.warning(
                    "Node not publicly reachable, skipping AutoTLS certificate request"
                )
                return None
        
        # Proceed with certificate fetch
        # ...
    
    async def _check_public_reachability(self, host: BasicHost) -> bool:
        """Check if host is publicly reachable via AutoNAT or Identify."""
        # Use AutoNAT to determine reachability
        # Or check observed addresses from Identify protocol
        # ...

Benefits:

• Prevents unnecessary ACME requests
• Respects ACME rate limits
• Only requests certs when actually needed
• Matches go-libp2p's guarded approach

6. Improved Certificate Loading

Current Python Implementation:

• Simple file existence check
• No validation of certificate metadata

Suggested Improvement:

class AutoTLSCertManager:
    def _load_existing_certificates(self) -> None:
        """Load and validate existing certificates from storage."""
        metadata = self._load_metadata()
        
        for b36_peerid, cert_meta in metadata.items():
            # Validate certificate file exists and is readable
            if not cert_meta.cert_path.exists():
                logger.warning(f"Certificate file missing for {b36_peerid}")
                continue
            
            if not cert_meta.key_path.exists():
                logger.warning(f"Key file missing for {b36_peerid}")
                continue
            
            # Validate certificate is still valid
            if not cert_meta.is_valid():
                logger.info(f"Certificate expired for {b36_peerid}, will renew")
                continue
            
            # Verify certificate matches peer ID
            if not self._verify_certificate_peer_id(cert_meta.cert_path, b36_peerid):
                logger.warning(f"Certificate peer ID mismatch for {b36_peerid}")
                continue
            
            # Cache valid certificate
            self._cert_cache[b36_peerid] = (cert_meta.cert_path, cert_meta.key_path)
            logger.info(f"Loaded valid certificate for {b36_peerid}")
    
    def _verify_certificate_peer_id(
        self,
        cert_path: Path,
        expected_b36_peerid: str
    ) -> bool:
        """Verify certificate DNS name matches expected peer ID."""
        # Load certificate
        # Extract DNS names from SAN extension
        # Check if domain matches *.{b36_peerid}.libp2p.direct
        # ...

Benefits:

• Validates certificates on load
• Detects corrupted or mismatched certificates
• Automatic cleanup of invalid certificates
• Better error handling and logging

7. Configuration Management

Current Python Implementation:

• Hardcoded paths and endpoints
• No configuration file support

Suggested Improvement:

@dataclass
class AutoTLSConfig:
    """Configuration for AutoTLS certificate manager."""
    storage_path: Path
    ca_endpoint: str = ACME_STAGING_ENDPOINT
    user_agent: str = "py-libp2p/autotls"
    registration_delay: float = 10.0  # seconds
    require_public_reachability: bool = True
    renewal_threshold_hours: int = 24 * 7  # 7 days
    enable_auto_renewal: bool = True
    
    @classmethod
    def from_file(cls, config_path: Path) -> "AutoTLSConfig":
        """Load configuration from JSON file."""
        # ...
    
    def to_file(self, config_path: Path) -> None:
        """Save configuration to JSON file."""
        # ...
    
    @classmethod
    def default(cls) -> "AutoTLSConfig":
        """Get default configuration."""
        return cls(
            storage_path=Path.home() / ".libp2p" / "autotls",
            ca_endpoint=ACME_STAGING_ENDPOINT,
        )

Benefits:

• Configurable storage location
• Easy switching between staging/production
• Persistent configuration
• User-customizable settings

8. Integration with BasicHost

Current Python Implementation:

• Certificate logic embedded in BasicHost

Suggested Improvement:

class BasicHost:
    def __init__(
        self,
        ...
        autotls_cert_manager: AutoTLSCertManager | None = None,
    ):
        self._autotls_cert_manager = autotls_cert_manager
        if autotls_cert_manager:
            autotls_cert_manager.start()
    
    async def initiate_autotls_procedure(self) -> None:
        """Initiate AutoTLS procedure using certificate manager."""
        if not self._autotls_cert_manager:
            logger.warning("AutoTLS certificate manager not configured")
            return
        
        # Check if certificate already exists
        cert_paths = self._autotls_cert_manager.get_certificate_paths(self.get_id())
        if cert_paths and self._autotls_cert_manager._is_certificate_valid(cert_paths[0]):
            logger.info("AutoTLS certificate already exists and is valid")
            return
        
        # Extract public IP
        public_ip, port = self._extract_public_ip_and_port()
        if not public_ip:
            raise RuntimeError("No public IP address found")
        
        # Fetch certificate
        cert_path, key_path = await self._autotls_cert_manager.ensure_certificate(
            peer_id=self.get_id(),
            host=self,
            public_ip=public_ip,
            port=port,
        )
        
        # Update paths for TLS transport
        libp2p.utils.paths.AUTOTLS_CERT_PATH = cert_path
        libp2p.utils.paths.AUTOTLS_KEY_PATH = key_path

Benefits:

• Clean separation of certificate management from host logic
• Reusable certificate manager
• Easier testing and mocking
• Better code organization

Summary of Suggested Changes

High Priority

1. Structured Storage Directory

   • Organize certificates by peer ID
   • Store metadata alongside certificates
   • Support multiple certificates

2. Certificate Manager Class

   • Lifecycle management (start/stop)
   • Certificate caching and validation
   • Clean API for certificate operations

3. Certificate Metadata

   • Store expiry, domain, issuer information
   • Quick validity checks
   • Renewal scheduling

Medium Priority

4. Automatic Renewal

   • Background worker for renewal
   • Proactive renewal before expiry
   • No manual intervention

5. Network Reachability Integration

   • Check public reachability before requesting certs
   • Event-driven certificate requests
   • Rate limit protection

Low Priority (Nice to Have)

6. Configuration Management

   • Config file support
   • User-customizable settings
   • Environment variable overrides

7. Improved Error Handling

   • Better validation and error messages
   • Automatic cleanup of invalid certificates
   • Recovery from corrupted state

Migration Path

Phase 1: Add Certificate Manager (Non-Breaking)

• Create AutoTLSCertManager class
• Keep existing file-based approach as fallback
• Add structured storage as optional feature

Phase 2: Integrate Certificate Manager

• Update BasicHost to use certificate manager
• Migrate existing certificates to new structure
• Add metadata storage

Phase 3: Add Advanced Features

• Automatic renewal
• Reachability integration
• Configuration management

Benefits of These Improvements

1. Better Organization: Certificates organized by peer ID, easier to manage
2. Automatic Renewal: No manual intervention required
3. Rate Limit Protection: Only requests certs when publicly reachable
4. Persistence: Metadata and state survive restarts
5. Multiple Certificates: Support for multiple peer IDs in same installation
6. Production Ready: Matches go-libp2p's production-grade implementation
7. Maintainability: Clean separation of concerns, easier to test

Comparison Table

Feature	Current Python	go-libp2p	Suggested Python
Storage	Flat files in CWD	Structured directory	Structured directory by peer ID
Renewal	Manual	Automatic (certmagic)	Automatic (background worker)
Reachability	Manual IP extraction	Event-driven	Event-driven (optional)
Metadata	None	Managed by certmagic	JSON metadata file
Lifecycle	Embedded in host	Separate manager	Separate manager class
Multiple Certs	Limited (-new flag)	Full support	Full support
Configuration	Hardcoded	Configurable	Configurable

These improvements would bring the Python implementation much closer to the production-grade approach used in go-libp2p while maintaining compatibility with the current working implementation.

[acul71]

@lla-dane @sumanjeet0012

Some of them are resolved from the time when I dropped the message, now I need to show you guys what I am seeing and discuss teh next steps
So now as per python ssl library, the server will not ask for the dialer's certificate, unless we provide the ssl context with a trusted CA root to verify the dialer's certificate. So the consequence of not getting the dialer's certificate, we are using a placeholder peer-id in place of the peer-id of the dialer in the server's peerstore.
Which is wrong as nwo the peer-id to which the server is sending ping, is different from the remote dialer's actual peer-id because we used a place-holder key pair
So need to fix that
And i am thinking of replacing the cert-rsa key pair with our host's ed25519 keypair, so that the client can verify that the remote peer is actually true, without using identify protocol. Checking if it works out

Thanks for identifying this critical issue! The placeholder peer ID problem is indeed breaking correctness - ping messages going to the
wrong peer is a serious bug.

Your Ed25519 approach was conceptually perfect, but the ACME limitation is unfortunate. Since we're stuck with RSA for AutoTLS certificates, I think we should implement the b36_peerid extraction from certificate DNS name approach you originally suggested.

How go-libp2p Handles This

Looking at go-libp2p's implementation:

1. Standard TLS Transport: Uses ClientAuth: tls.RequireAnyClientCert which forces client certificate exchange. They extract peer ID from the libp2p extension in the certificate.

2. AutoTLS/WebSocket: Uses server-side certificates (for browser compatibility), and peer verification happens via identify protocol after connection establishment.

3. Key Difference: go-libp2p's standard TLS requires client certs, so they always get peer identity from certificates. For AutoTLS, they defer to identify protocol.

Proposed Solution for Python

Since Python's SSL doesn't request client certificates without a trusted CA root, and AutoTLS certs don't have libp2p extensions, we should:

1. Extract b36_peerid from certificate DNS - Parse *.{b36_peerid}.libp2p.direct from the certificate's SAN extension
2. Convert to peer ID - Reverse the compute_b36_peer_id() function to get the actual peer ID
3. Use for peer verification - Replace placeholder keys with actual peer ID from certificate
4. Cross-check with identify protocol - Defense in depth verification

For the server side (inbound), we could also explore:

• Configuring SSL context with Let's Encrypt CA roots to enable client cert requests
• Using ctx.verify_mode = ssl.CERT_OPTIONAL or CERT_REQUIRED
• This would make Python SSL request client certificates, similar to go-libp2p's RequireAnyClientCert

However, even with client certs, AutoTLS certificates won't have libp2p extensions, so we'd still need the DNS extraction approach.

This would:

• ✅ Eliminate placeholder peer IDs entirely
• ✅ Provide proper peer identity verification
• ✅ Work with CA-signed AutoTLS certificates
• ✅ Maintain security without relying solely on identify protocol
• ✅ Align with go-libp2p's approach (defer to identify for AutoTLS, but extract peer ID from DNS when available)

Should I start implementing the b36_peerid extraction approach, or do you want to discuss the trade-offs on the call first?