If we can use go-ipfs-config, could we pass static cert and use that instead of ACME?

Yes. The CertManager has a method for that, see https://github.com/marten-seemann/go-libp2p-certbot#manual-certificate-management. You'd have to call that instead of https://github.com/ipfs/go-ipfs/blob/6589293eb8cafc898972ff102ad0b1ef5ad2d3d9/core/node/libp2p/transport.go#L35, so that should be very easy to implement. Regarding the wiring up required with the IPFS config, it would be great if the IPFS stewards could take up that work though, as I'm sure you guys will have strong opinions on how this new config option would look like :)

This may be problematic for go-ipfs users because they already run HTTP server of some sort on ports 80 and 443 (either go-ipfs itself, or a reverse proxy like nginx).

It it's a Go HTTP server, we could just attach to that one, right? Users could pass their http.ServeMux to the certbot. Is that something we want to support?

Should we detect when ACME challenge port is taken by something else, and pick some other localhost port + print warning asking user to manually mount http://127.0.0.1:/.well-known/acme-challenge/ under https://example.com/.well-known/acme-challenge/? This should be an acceptable solution for existing nginx users.

Yes, let me figure out how to do that with certmagic.

Excited to see this, I was thinking the same a little while back.

I was going to help a mate do something like https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/ for his app, and I was wondering if it would be useful for folk to have a cert for, say, *.<PEERID>.peer.id in libp2p land using the same trick? We'd need some extra cryptography to attest it was definity the peer that did it or something.

I have a proof of concept that uses auth0 to identify you on twitter, you pass the app the TXT challenge so ACME can issue you a cert for say *.thattommyhall.sslify.me , and some PowerDNS scripting to serve up 1.2.3.4 for 1-2-3-.thattommyhall.sslify.me and fetch the txt challenge from S3 so you can verify the DNS.

Prior art for just issuing SSL certs for an IP was https://sslip.io/ https://nip.io/

@thattommyhall take a look at libp2p/go-libp2p#1331.

TLDR: I suspect we'll want some mechanism to auto-grant people TLS certs so they can support WSS, but a step at a time especially because a bunch of the issues with granting certs are political rather than technological (e.g. one could easily imagine a world where *.peer.id's cert was secured by the peerID itself rather than some CA... but that's an uphill battle) so it might take some time. Those are some great links though 🙏

@thattommyhall Thank you for these links, those are very interesting reads! It's out of scope for this PR, let's get the simplest option up and running.

I updated this PR, mostly to update the dependencies. Big win: It's not necessary any more to add an address to AppendAnnounces, just adding a /dns address to Swarm.Addresses is sufficient now (thanks to libp2p/go-ws-transport#117).

@marten-seemann : I moved this back to draft given feedback from @lidel to incorporate. Pease mark as "Ready for review" when it should be looked at again.

Thanks again for doing this - good stuff!