Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls-alpn-01 IS supported by Apache #1491

Open
tlhackque opened this issue Jan 4, 2023 · 0 comments
Open

tls-alpn-01 IS supported by Apache #1491

tlhackque opened this issue Jan 4, 2023 · 0 comments

Comments

@tlhackque
Copy link

The tls-alpn-01 section of https://letsencrypt.org/docs/challenge-types/ (still) states
It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This isn't true. It wasn't true in the summer of 21 when last I reported this. At that point, apache httpd had supported tls-alpn-01 for over a year.

See https://httpd.apache.org/docs/trunk/mod/mod_md.html
Available in version 2.4.30 and later Prior to that it was available as an add-on kit (patches to httpd-core + mod_md itself).

@icing put a lot of work into developing this, with LE in mind (I also had a small part in it).

It's hard to understand why there is such difficulty in getting the documentation to reflect the reality that tls-alpn-01 has mainstream support. I would think it something that LE would want to publicize...

In fact, mod_md also provides transparent support for http-01 entirely within the server - no disk file, no permissions setup - it just knows what to do with those challenges. And it supports DNS-01 (but requires and external script to perform the updates). It manages renewal timing without the need for externally timed (e.g. cron) jobs. It's capable of requesting certificates for other servers and delivering them (via external scripts run by httpd) in various modes.

It would be great if someone would at least remove the denial of tls-alpn-01 support. Even better if the documentation also pointed out that external scripts/programs (including certbot) and timed jobs to run them are not required when a webserver, such as Apache httpd, has fully integrated support built-in. It's actually the most painless way to use LE.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant