Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange


On Thu, Dec 1, 2022 at 6:14 PM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
> Let's say, I want to do that during runtime without a (production)
> server being required to be shut down. The authorization process ALPN
> might be required at any given time, i.e. you have a passed
> authorization up until today and the next time you want to refresh
> your existing certificate the ACME-server tells you that you need to
> do it again.
> That means that you need a mechanism that allows me to tell
> the ALPN-processor to use a particular (and different)
> certificate for a TLS-request containing a specific SNI.
> That's quite a bummer if we're talking about a production HTTP-server
> that currently serves important stuff that immediately stops
> working because all of them get this warning as well. The special
> certificate should only be used for TLS-requests with a specific
> SNI in the handshake (and should stop serving the certificate
> after the authorization process is finished).
> So starting in an exclusive "ACME-authorization" mode like your
> suggestion would lead in my eyes, isn't an option which is why
> I have this question, how to "get access" to the ALPN-processor
> and be able to provide certificates to be used dynamically. BTW:
> I already have my own SSLContextFactory creating my own KeyStore-
> instances that allow me to get certificates from a database rather
> than a file. So the dynamic retrieval of certificates as such
> isn't the problem here, just the "how to tell the processor about it".

I understand that you don't want to see "downtime" during renewal.

The TLS-ALPN-01 challenge works at the TLS level, so what needs to be
done is to tell the TLS implementation what certificate to use based
on the negotiated ALPN protocol.
This is currently not supported by Jetty, but I think it will be
possible to support it via a KeyManager wrapper, similarly to what we
do for SNI.

So it's not about "how to tell the processor", it is about "how to
tell the TLS implementation".

If you already have your own SslContextFactory, just extend it to wrap
the KeyManagers to return an "acme" alias when the ALPN protocol is

Open an issue at, and
we'll use it for discussion.
If you implement it, please contribute it via a pull request. Thanks! :)

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top