vault/website/content/api-docs
Alexander Scheel f079b7b0a4
Add TLS-ALPN-01 Challenge Type to ACME (#20943)
* Add ACME TLS-ALPN-01 Challenge validator to PKI

This adds support for verifying the last missing challenge type,
TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as
many servers (such as Caddy) support transparently renewing certificates
via this protocol, without influencing the contents of sites served.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Enable suggesting, validating tls-alpn-01 in PKI

Notably, while RFC 8737 is somewhat vague about what identifier types
can be validated with this protocol, it does restrict SANs to be only
DNSSans; from this, we can infer that it is not applicable for IP
typed identifiers. Additionally, since this must resolve to a specific
domain name, we cannot provision it for wildcard identifiers either.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix test expectations to allow ALPN challenges

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tls-alpn-01 as a supported challenge to docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for tls-alpn-01 challenge verifier

This hacks the challenge engine to allow non-standard (non-443) ports,
letting us use a local server listener with custom implementation.

In addition to the standard test cases, we run:

 - A test with a longer chain (bad),
 - A test without a DNSSan (bad),
 - A test with a bad DNSSan (bad),
 - A test with some other SANs (bad),
 - A test without a CN (good),
 - A test without any leaf (bad), and
 - A test without the extension (bad).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/acme_challenges.go

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
2023-06-07 16:34:00 +00:00
..
auth Correct Default for MaximumPageSize (#20453) 2023-05-17 20:56:53 +00:00
secret Add TLS-ALPN-01 Challenge Type to ACME (#20943) 2023-06-07 16:34:00 +00:00
system Docs: audit - add warning when disabling device regarding HMAC (#20715) 2023-05-23 14:55:55 +01:00
index.mdx VAULT-15546 First pass at Vault Proxy docs (#20578) 2023-05-19 13:11:39 -04:00
libraries.mdx VAULT-15791: Update docs to use vault-java-driver fork (#20316) 2023-04-25 11:08:05 +02:00
relatedtools.mdx website: content updates for developer (#17035) 2022-09-22 08:11:04 -07:00