website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon letsencrypt

tls-alpn-01 IS supported by Apache

Open tlhackque opened this issue 2 years ago • 2 comments

The tls-alpn-01 section of https://letsencrypt.org/docs/challenge-types/ (still) states It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This isn't true. It wasn't true in the summer of 21 when last I reported this. At that point, apache httpd had supported tls-alpn-01 for over a year.

See https://httpd.apache.org/docs/trunk/mod/mod_md.html Available in version 2.4.30 and later Prior to that it was available as an add-on kit (patches to httpd-core + mod_md itself).

@icing put a lot of work into developing this, with LE in mind (I also had a small part in it).

It's hard to understand why there is such difficulty in getting the documentation to reflect the reality that tls-alpn-01 has mainstream support. I would think it something that LE would want to publicize...

In fact, mod_md also provides transparent support for http-01 entirely within the server - no disk file, no permissions setup - it just knows what to do with those challenges. And it supports DNS-01 (but requires and external script to perform the updates). It manages renewal timing without the need for externally timed (e.g. cron) jobs. It's capable of requesting certificates for other servers and delivering them (via external scripts run by httpd) in various modes.

It would be great if someone would at least remove the denial of tls-alpn-01 support. Even better if the documentation also pointed out that external scripts/programs (including certbot) and timed jobs to run them are not required when a webserver, such as Apache httpd, has fully integrated support built-in. It's actually the most painless way to use LE.

Thanks.

tlhackque avatar Jan 04 '23 00:01 tlhackque

@tlhackque Great, do you know which release of Apache started supporting the TLS-ALPN-01 challenge ?

sebma avatar Jan 06 '25 17:01 sebma

@tlhackque Great, do you which release of Apache started supporting the TLS-ALPN-01 challenge ?

Any version with mod_md.

As noted in the 6th line of my comment: the first integrated version is 2.4.30 per the HTTPD docs. Released in httpd 2.4.33 per https://icing.github.io/mod_md/, but the first recommended version would be in httpd 2.4.41.

As also noted, for prior versions of httpd, mod_md can be built from https://github.com/icing/mod_md, although httpd may require patches (specifically, mod_ssl).

Although the formal status is 'experimental', it has been stable for several years and @icing continues to support it - as can be seen at https://github.com/icing/mod_md/releases.

(@icing: Perhaps it's time to upgrade the formal status to 'extension'...)

tlhackque avatar Jan 07 '25 18:01 tlhackque

The incorrect text in question has been deleted in PR #1966

bdaehlie avatar Jul 31 '25 23:07 bdaehlie