|Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange|
Hi, On Wed, Nov 30, 2022 at 7:29 PM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote: > The client in question is acme4j and the part between the ACME- > server and that client up to the point where the necessary > data is available for the creation of the certificate is done > there. But then you need to make sure that said certificate > is used by the corresponding ALPN processor which is where > Maurice's question was pointed (I suppose because that's my > question at this point after reading the thread).  Sure. Preparing the certificate with the right extensions is outside of Jetty's scope. Let's say you do it manually although I imagine you can do it automatically. You prepare the certificate into a KeyStore, point Jetty at that KeyStore and start Jetty with "jetty.alpn.protocols=acme-tls/1,http/1.1". This sets up your "TLS server" (as per wording of the RFC) with support for ACME TLS-ALPN-01 and for HTTP/1.1. At this point a browser connecting to your TLS server will receive an "insecure site, self-signed certificate" message, but you can persist and browse. If the ACME server (i.e. the CA) contacts your TLS server, it will open a connection, negotiate the ALPN protocol "acme-tls/1" successfully, and the TLS server will send the certificate during the TLS handshake. The ACME server will receive the certificate and validate it. Jetty's work is finished. At this point it is my understanding that the ACME client should contact the ACME server and download the CA-signed certificate, and then alert in some way the sysop (outside of Jetty scope). Once the sysop has the certificate, it will install it in the KeyStore (or create a new KeyStore and use Jetty's KeyStoreScanner to reload it), again a manual step (that can probably be automated) that is outside Jetty's scope. > Your answer "nothing needs to be done" doesn't sound right, > there must be some way to provide that self signed certificate > at a time after startup of the server (and make it unavailable > after successful authentication at the CA) so at some point you > need to get your hand on an existing processor to "set" the > certificate to be used or create an own implementation of such > a processor in order to be able to the same. See above, the self-signed certificate is automatically provided to the CA (the ACME server) when it makes a connection with the "acme-tls/1" ALPN protocol to the TLS server, during the TLS handshake. There is nothing that a Jetty user needs to do, apart from setting up the KeyStore properly and configuring the ALPN protocols: no code to write, only configuration. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts.
Back to the top