Project

General

Profile

Feature #2931

Support for TLS-ALPN-01

Added by DavidAnderson684 9 months ago. Updated 9 months ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
TLS
Target version:
Start date:
2019-01-22
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

With the removal of TLS-SNI-01 as a validation method (https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209), it will become very challenging to use LetsEncrypt or any other certificate vendor based on the ACME protocols with lighttpd (see https://community.letsencrypt.org/t/so-how-are-we-bringing-tls-alpn-to-the-masses/63824 for some discussion). Other validation methods involve ability to manipulate DNS records or having a dedicated/unique IP address for the website, which for many users is not possible in their environment, or very challenging to automate for renewals.

TLS-ALPN-01 is available as a new possibility, but requires dedicated webserver support. Here is an implementation for Apache: https://github.com/icing/mod_md/ . The benefit of implementing it is that it will restore the situation of allowing easy/automated ACME/LetsEncrypt renewals without a unique IP address or ability to manipulate DNS records on-the-fly.

Associated revisions

Revision b17d3c24 (diff)
Added by gstrauss 9 months ago

[mod_openssl] ALPN and acme-tls/1 (fixes #2931)

ssl.acme-tls-1 = "/path/to/dir" containing .crt.pem and .key.pem
named with the SNI name ("<SNI>.crt.pem" and "<SNI>.key.pem")

x-ref:
"Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension"
https://tools.ietf.org/html/rfc7301
"ACME TLS ALPN Challenge Extension" (TLS-ALPN-01)
https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05
"Support for TLS-ALPN-01"
https://redmine.lighttpd.net/issues/2931

History

#2

Updated by gstrauss 9 months ago

  • Category set to TLS

The draft expired 1 Dec 2018. Do you have any current link to its status?

#4

Updated by gstrauss 9 months ago

  • Priority changed from Normal to Low

There's over 17,000 lines of code in mod_md/src/*.[ch]. That is a large amount of code. (I have not looked any further at the code)

I have previously looked at ALPN with regards to HTTP/2 and hope that general ALPN support can be incorporated with much less code. However, the specifics for TLS-ALPN-01 might require much more work. As such, I am marking this low priority. A shorter-term solution might be to identify ALPN requests and allow an external script of some sort to handle "tls-alpn-01"

#5

Updated by gstrauss 9 months ago

I posted some untested code to personal/gstrauss/master branch on git.lighttpd.net after reading the TLS-ALPN-01 challenge spec.
See DevelGit for instructions how to access the git repository.

#6

Updated by gstrauss 9 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.53

Tested with https://github.com/lukas2511/dehydrated

The results from dehydrated is a cert.pem and privkey.pem, which still need to be concatenated into a single file for lighttpd, and lighttpd needs to be restarted to pick up the new certificate.

#7

Updated by gstrauss 9 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
#8

Updated by DavidAnderson684 9 months ago

Thank you! If I use the PayPal donate button on the right, does that go to you?

#9

Updated by gstrauss 9 months ago

It goes to us, yes. Thank you for your support.

#10

Updated by DavidAnderson684 9 months ago

Thank you! I have just donated.

Also available in: Atom