mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-29 09:42:25 +00:00
f079b7b0a4
* Add ACME TLS-ALPN-01 Challenge validator to PKI This adds support for verifying the last missing challenge type, TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as many servers (such as Caddy) support transparently renewing certificates via this protocol, without influencing the contents of sites served. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Enable suggesting, validating tls-alpn-01 in PKI Notably, while RFC 8737 is somewhat vague about what identifier types can be validated with this protocol, it does restrict SANs to be only DNSSans; from this, we can infer that it is not applicable for IP typed identifiers. Additionally, since this must resolve to a specific domain name, we cannot provision it for wildcard identifiers either. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix test expectations to allow ALPN challenges Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tls-alpn-01 as a supported challenge to docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for tls-alpn-01 challenge verifier This hacks the challenge engine to allow non-standard (non-443) ports, letting us use a local server listener with custom implementation. In addition to the standard test cases, we run: - A test with a longer chain (bad), - A test without a DNSSan (bad), - A test with a bad DNSSan (bad), - A test with some other SANs (bad), - A test without a CN (good), - A test without any leaf (bad), and - A test without the extension (bad). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update builtin/logical/pki/acme_challenges.go Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Kit Haines <khaines@mit.edu>
4 lines
121 B
Plaintext
4 lines
121 B
Plaintext
```release-note:improvement
|
|
secrets/pki: Support TLS-ALPN-01 challenge type in ACME for DNS certificate identifiers.
|
|
```
|