-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acme module: support client.answer_challenge for TLS-ALPN-01 #6676
Comments
@bmw why did we revert this again? Something about OpenSSL versions? |
Yeah. We reverted our TLS-ALPN support for the reasons described in #6100 (comment). I personally think we should revisit that decision, but regardless of that, I think we can add support the minor additional support the boulder team wants here. Keeping with our current patterns to make the code work it should be as simple as:
|
@bmw I can probably write a PR based on your description if it would be helpful and you folks can help knock the dust off of my Python knowledge. |
@cpu, that'd be great! |
Hi all! I believe I faced a situation that relates to this issue in some level. Trying to run my client (that uses the acme module) against Pebble I got an error for sending the keyAuthorization. (Relates to #5686) I understand that makes sense since the RFC section 7.5.1 states the following:
Please correct me if I'm wrong, but I believe the acme module does not support this part of the spec. Trying to work around it I tried using an empty Another option is to use a fresh
Which makes pebble happy but it is still not conforming with spec. Shouldn't the Please let me know if I misunderstood something. |
You are right, I encountered the same problem with my work on integration tests. By default from the Remove the We should certainly do something about this, first by adding the capability to send an empty Json as a payload, that is different from an empty payload as you said, and implement that in the challenge negotiation process. |
I think the concern about sending the deprecated key authorization when POSTing a challenge is valid but separate from this issue (specifically about implementing challenge POSTs for TLS-ALPN-01) |
I agree that this is a separate issue. Thanks for reporting it though @jrodcla! If you're interested, I would love to see an issue/PR created for the problem you describe. |
Is there a timeline to add support to Certbot for certificate renews using TLS-ALPN-01? I am using the nginx plugin. I am getting the following trying to upgrade to the more secure certbot --preferred-challenges tls-alpn-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxx.yyy.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /usr/local/etc/letsencrypt/renewal/xxx.yyy.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin |
@nngo, the issue discussed here is separate from the one you're describing. If you'd like to discuss the possibility of getting TLS-ALPN-01 support getting added to Certbot, please open a new issue. |
|
The existing `acme.TLSALPN01` challenge class did not have a `response_cls`, meaning it was not possible to use a tls-alpn-01 challenge with `client.answer_challenge`. To support the above a simple `TLSALPN01Response` class is added that doesn't provide the ability to solve a tls-alpn-01 challenge end to end (e.g. generating and serving the correct response certificate) but that does allow the challenge to be initiated. This is sufficient for users that have set up the challenge response independent of the `acme` module code. Resolves #6676
After #6144 landed Boulder had to switch away from using an up to date Certbot clone for our integration tests.
We don't rely on Certbot's
acme
module to create or serve TLS-ALPN-01 challenge response certificates (we usepebble-challtestsrv
for this), but we do rely on theacme
module for initiating challenges. E.g. indo_tls_alpn_challenges
in ourchisel.py
test client we call:where
c
is aacme.ChallengeBody
with typeTLSALPN01
.If we remove this commit pin then
answer_challenge
begins to fail:We could potentially work around this by figuring out the right way to use the
acme
module to prepare a signed JWS body using the account key that we can POST to the challenge URI ourselves but I think that's a little yucky: we'd be duplicating a lot of theacme
module's existing code. It also means other projects that use theacme
module may have to do the same in the future.With all of the specified ACME challenge types that exist today the client can POST a JWS with the trivial
{}
payload to initiate the challenge without needing to know anything about the actual process of solving the challenge. E.g. it can be totally challenge type agnostic.Would the Certbot team be willing to add support for initiating a TLS-ALPN-01 challenge?
Thanks!
The text was updated successfully, but these errors were encountered: