Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTPS Protocol Support for CHALLENGE_CHECK_TYPE in getssl #864

Closed
Khan-Tzar opened this issue Nov 4, 2024 · 2 comments
Closed

Add HTTPS Protocol Support for CHALLENGE_CHECK_TYPE in getssl #864

Khan-Tzar opened this issue Nov 4, 2024 · 2 comments

Comments

@Khan-Tzar
Copy link

Currently, getssl only supports HTTP for the CHALLENGE_CHECK_TYPE option, with CHALLENGE_CHECK_TYPE="http" hardcoded as the only available setting. This configuration limits flexibility in environments where HTTPS is required for ACME challenges, particularly in situations where HTTP requests are restricted or disabled for security reasons.

Could you consider adding an option to allow CHALLENGE_CHECK_TYPE="https" in addition to the default HTTP protocol. This feature would enable verification over HTTPS, expanding getssl's versatility and compatibility in secured environments. Additionally, HTTPS support for ACME challenges aligns with modern security practices and enables environments that enforce strict HTTPS-only policies to utilize getssl without requiring workarounds.

@githubRover
Copy link

Do you mean the TLS-ALPN-01 challenge? Because the ACME API does not have an "https" one. It is not a matter of getssl supporting it. It is that Let's Encrypt must support it (and that it be an allowed method in the ACME standard).

https://letsencrypt.org/docs/challenge-types/

Discussion of different challenge types is probably best done at https://community.letsencrypt.org

But, tls-apln requires specific support in the web server (or alternate listener) to process the incoming challenge from Let's Encrypt. Apache has this in its mod_md module, for example. Various other server proxy products like caddy also have this.

In other cases, the main alternative if HTTP challenge is not acceptable is to use the DNS challenge.

@Khan-Tzar
Copy link
Author

Then we can close the issue if this is the standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants