Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange


On Wed, Nov 30, 2022 at 7:29 PM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
> The client in question is acme4j and the part between the ACME-
> server and that client up to the point where the necessary
> data is available for the creation of the certificate is done
> there. But then you need to make sure that said certificate
> is used by the corresponding ALPN processor which is where
> Maurice's question was pointed (I suppose because that's my
> question at this point after reading the thread). [1]

Sure. Preparing the certificate with the right extensions is outside
of Jetty's scope.
Let's say you do it manually although I imagine you can do it automatically.
You prepare the certificate into a KeyStore, point Jetty at that
KeyStore and start Jetty with
This sets up your "TLS server" (as per wording of the RFC) with
support for ACME TLS-ALPN-01 and for HTTP/1.1.

At this point a browser connecting to your TLS server will receive an
"insecure site, self-signed certificate" message, but you can persist
and browse.

If the ACME server (i.e. the CA) contacts your TLS server, it will
open a connection, negotiate the ALPN protocol "acme-tls/1"
successfully, and the TLS server will send the certificate during the
TLS handshake.
The ACME server will receive the certificate and validate it.
Jetty's work is finished.

At this point it is my understanding that the ACME client should
contact the ACME server and download the CA-signed certificate, and
then alert in some way the sysop (outside of Jetty scope).
Once the sysop has the certificate, it will install it in the KeyStore
(or create a new KeyStore and use Jetty's KeyStoreScanner to reload
it), again a manual step (that can probably be automated) that is
outside Jetty's scope.

> Your answer "nothing needs to be done" doesn't sound right,
> there must be some way to provide that self signed certificate
> at a time after startup of the server (and make it unavailable
> after successful authentication at the CA) so at some point you
> need to get your hand on an existing processor to "set" the
> certificate to be used or create an own implementation of such
> a processor in order to be able to the same.

See above, the self-signed certificate is automatically provided to
the CA (the ACME server) when it makes a connection with the
"acme-tls/1" ALPN protocol to the TLS server, during the TLS
There is nothing that a Jetty user needs to do, apart from setting up
the KeyStore properly and configuring the ALPN protocols: no code to
write, only configuration.

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top