mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-16 11:37:04 +02:00
* Add ACME TLS-ALPN-01 Challenge validator to PKI This adds support for verifying the last missing challenge type, TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as many servers (such as Caddy) support transparently renewing certificates via this protocol, without influencing the contents of sites served. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Enable suggesting, validating tls-alpn-01 in PKI Notably, while RFC 8737 is somewhat vague about what identifier types can be validated with this protocol, it does restrict SANs to be only DNSSans; from this, we can infer that it is not applicable for IP typed identifiers. Additionally, since this must resolve to a specific domain name, we cannot provision it for wildcard identifiers either. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix test expectations to allow ALPN challenges Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tls-alpn-01 as a supported challenge to docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for tls-alpn-01 challenge verifier This hacks the challenge engine to allow non-standard (non-443) ports, letting us use a local server listener with custom implementation. In addition to the standard test cases, we run: - A test with a longer chain (bad), - A test without a DNSSan (bad), - A test with a bad DNSSan (bad), - A test with some other SANs (bad), - A test without a CN (good), - A test without any leaf (bad), and - A test without the extension (bad). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update builtin/logical/pki/acme_challenges.go Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Kit Haines <khaines@mit.edu> |
||
---|---|---|
.. | ||
auth | ||
secret | ||
system | ||
index.mdx | ||
libraries.mdx | ||
relatedtools.mdx |