Feature #2931
closedSupport for TLS-ALPN-01
Description
With the removal of TLS-SNI-01 as a validation method (https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209), it will become very challenging to use LetsEncrypt or any other certificate vendor based on the ACME protocols with lighttpd (see https://community.letsencrypt.org/t/so-how-are-we-bringing-tls-alpn-to-the-masses/63824 for some discussion). Other validation methods involve ability to manipulate DNS records or having a dedicated/unique IP address for the website, which for many users is not possible in their environment, or very challenging to automate for renewals.
TLS-ALPN-01 is available as a new possibility, but requires dedicated webserver support. Here is an implementation for Apache: https://github.com/icing/mod_md/ . The benefit of implementing it is that it will restore the situation of allowing easy/automated ACME/LetsEncrypt renewals without a unique IP address or ability to manipulate DNS records on-the-fly.
Updated by DavidAnderson684 about 5 years ago
Protocol specification: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01
Updated by gstrauss about 5 years ago
- Category set to TLS
The draft expired 1 Dec 2018. Do you have any current link to its status?
Updated by DavidAnderson684 about 5 years ago
Updated by gstrauss about 5 years ago
- Priority changed from Normal to Low
There's over 17,000 lines of code in mod_md/src/*.[ch]. That is a large amount of code. (I have not looked any further at the code)
I have previously looked at ALPN with regards to HTTP/2 and hope that general ALPN support can be incorporated with much less code. However, the specifics for TLS-ALPN-01 might require much more work. As such, I am marking this low priority. A shorter-term solution might be to identify ALPN requests and allow an external script of some sort to handle "tls-alpn-01"
Updated by gstrauss about 5 years ago
I posted some untested code to personal/gstrauss/master branch on git.lighttpd.net after reading the TLS-ALPN-01 challenge spec.
See DevelGit for instructions how to access the git repository.
Updated by gstrauss about 5 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.53
Tested with https://github.com/lukas2511/dehydrated
The results from dehydrated is a cert.pem and privkey.pem, which still need to be concatenated into a single file for lighttpd, and lighttpd needs to be restarted to pick up the new certificate.
Updated by gstrauss about 5 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset b17d3c2407e204fc22ec12cf9811aee1b0e52df2.
Updated by DavidAnderson684 about 5 years ago
Thank you! If I use the PayPal donate button on the right, does that go to you?
Updated by gstrauss about 5 years ago
It goes to us, yes. Thank you for your support.
Also available in: Atom