Skip to content

TLS-ALPN01 challenge support #588

Open
@kariustobias

Description

Does posh-acme support the TLS-ALPN01 challenge? I read in the documentation about that the publishing of the challenge should be supported, but is it implemented yet? If not, is there any plans on implementing it in the future?

Activity

self-assigned this
on Nov 20, 2024
rmbolger

rmbolger commented on Nov 20, 2024

@rmbolger
Owner

Unfortunately, tls-alpn-01 is not yet supported in any meaningful way. Technically, the challenge data is available in the authorization objects for a given order (Get-PAAuthorization). If you can find a way to "publish" the challenge to an ALPN capable web server, you could then use Send-ChallengeAck to have the ACME CA validate it and then finalize and complete the order. But there's nothing in the module to help with that "publish" step.

The problem is that the protocol lives in the TLS implementation of the web server. And historically, not a lot of web servers are even capable of using ALPN, let alone programmatically. Realistically any sort of alpn plugin would have to be web server specific. A self-hosted plugin using .NET's Kestrel web server might be possible. But I don't really have the expertise to figure it out unless someone else had already done it on another .NET open source project. And it would probably never work with PowerShell 5.1 where Kestrel doesn't exist.

webprofusion-chrisc

webprofusion-chrisc commented on Nov 21, 2024

@webprofusion-chrisc
Contributor

I've seen some clients do ALPN themselves but you need exclusive control of port 443 (meaning you can't be using it for other https stuff), because you are directly controlling the TLS conversation at a fairly low level, at least during validation.

If you can't use HTTP domain validation consider DNS. If you can't do DNS I'm happy to provide suggestions on how you probably can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

questionFurther information is requested

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    TLS-ALPN01 challenge support · Issue #588 · rmbolger/Posh-ACME