Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls-alpn-01 IS supported by Apache #1491

Open
tlhackque opened this issue Jan 4, 2023 · 2 comments
Open

tls-alpn-01 IS supported by Apache #1491

tlhackque opened this issue Jan 4, 2023 · 2 comments

Comments

@tlhackque
Copy link

The tls-alpn-01 section of https://letsencrypt.org/docs/challenge-types/ (still) states
It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This isn't true. It wasn't true in the summer of 21 when last I reported this. At that point, apache httpd had supported tls-alpn-01 for over a year.

See https://httpd.apache.org/docs/trunk/mod/mod_md.html
Available in version 2.4.30 and later Prior to that it was available as an add-on kit (patches to httpd-core + mod_md itself).

@icing put a lot of work into developing this, with LE in mind (I also had a small part in it).

It's hard to understand why there is such difficulty in getting the documentation to reflect the reality that tls-alpn-01 has mainstream support. I would think it something that LE would want to publicize...

In fact, mod_md also provides transparent support for http-01 entirely within the server - no disk file, no permissions setup - it just knows what to do with those challenges. And it supports DNS-01 (but requires and external script to perform the updates). It manages renewal timing without the need for externally timed (e.g. cron) jobs. It's capable of requesting certificates for other servers and delivering them (via external scripts run by httpd) in various modes.

It would be great if someone would at least remove the denial of tls-alpn-01 support. Even better if the documentation also pointed out that external scripts/programs (including certbot) and timed jobs to run them are not required when a webserver, such as Apache httpd, has fully integrated support built-in. It's actually the most painless way to use LE.

Thanks.
@sebma
Copy link

sebma commented Jan 6, 2025

@tlhackque Great, do you which release of Apache started supporting the TLS-ALPN-01 challenge ?

@tlhackque
Copy link
Author

@tlhackque Great, do you which release of Apache started supporting the TLS-ALPN-01 challenge ?

Any version with mod_md.

As noted in the 6th line of my comment: the first integrated version is 2.4.30 per the HTTPD docs. Released in httpd 2.4.33 per https://icing.github.io/mod_md/, but the first recommended version would be in httpd 2.4.41.

As also noted, for prior versions of httpd, mod_md can be built from https://github.com/icing/mod_md, although httpd may require patches (specifically, mod_ssl).

Although the formal status is 'experimental', it has been stable for several years and @icing continues to support it - as can be seen at https://github.com/icing/mod_md/releases.

(@icing: Perhaps it's time to upgrade the formal status to 'extension'...)

@enoch85 enoch85 mentioned this issue Jan 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlhackque @sebma