Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange

Moin Simone,

Aries SPI FLY can create startup timing issues, as stated on the project. SPI FLY MUST be up and running before any JDK service providers are resolved. Thats why I created a connection factory with a OSGi service-tracker.

The bundles are resolving now and the ALPN processor is registered and ready for the ACME challenge implementation. Since I use OpenJDK 8u252 or later, ALPN is not needed on the extended classpath as a boot feature. I am using the mortbay ALPN bundle for reference and not the one as provided by the Jetty project, as pax-web-jetty 7.x has an optional dependency on the mortbay bundle and if it loads and initializes my ALPN processor, which is using the ALPN API, this should match due to the shared classloader between pax-web-jetty and the fragment containing the connection factory. I created an API fragment bundle containing my AlpnServerConnectionFactory and AlpnServerConnection that the pax-web-jetty bundle will host so it can load and create the classes if the Jetty XML gets parsed. The factory has the bespoken OSGi ServiceTracker that tracks ALPNProcessor.Server services, providing the ALPN processor for the AMCE TLS challenge.
It always seems so simple once it is running, now I need a test client.

On 24/11/2022 19:13, Simone Bordet wrote:

On Thu, Nov 24, 2022 at 3:56 PM Info <info@xxxxxxxxxx> wrote:

my suspicion is that the Jetty XML being declarative and thus not
directly handled by the OSGi runtime, is causing the timing troubles.
I doubt it. We have XML files working fine with OSGi.
You still don't say what exactly is the problem you're having.
Can you setup a default HTTP/2 server?
If you can, that should be enough.

But I am right about the staging of the ACME challenge I have to perform
in order to get a new Lets Encypt SSL certificate?
Cannot parse the above.
I don't think you must perform the ACME challenge; you receive it and
you have to answer it.
The link does not report in detail how it would work with the
TLS-ALPN-01, which is reported here:

Did not get to a test because Pax Web uses the org.mortbay.jetty.alpn
dependency instead of the org.eclipse.jetty.alpn one, building a
fragment for that one now.
As I said, I don't think you should do anything wrt Jetty or OSGi.
Just setup a Jetty server and add the "acme-tls/1" ALPN protocol.

Back to the top