mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-18 04:27:02 +02:00
f079b7b0a4
* Add ACME TLS-ALPN-01 Challenge validator to PKI This adds support for verifying the last missing challenge type, TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as many servers (such as Caddy) support transparently renewing certificates via this protocol, without influencing the contents of sites served. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Enable suggesting, validating tls-alpn-01 in PKI Notably, while RFC 8737 is somewhat vague about what identifier types can be validated with this protocol, it does restrict SANs to be only DNSSans; from this, we can infer that it is not applicable for IP typed identifiers. Additionally, since this must resolve to a specific domain name, we cannot provision it for wildcard identifiers either. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix test expectations to allow ALPN challenges Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tls-alpn-01 as a supported challenge to docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for tls-alpn-01 challenge verifier This hacks the challenge engine to allow non-standard (non-443) ports, letting us use a local server listener with custom implementation. In addition to the standard test cases, we run: - A test with a longer chain (bad), - A test without a DNSSan (bad), - A test with a bad DNSSan (bad), - A test with some other SANs (bad), - A test without a CN (good), - A test without any leaf (bad), and - A test without the extension (bad). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update builtin/logical/pki/acme_challenges.go Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Kit Haines <khaines@mit.edu> |
||
|---|---|---|
| .. | ||
| databases | ||
| identity | ||
| key-management | ||
| kv | ||
| ad.mdx | ||
| alicloud.mdx | ||
| aws.mdx | ||
| azure.mdx | ||
| cassandra.mdx | ||
| consul.mdx | ||
| cubbyhole.mdx | ||
| gcp.mdx | ||
| gcpkms.mdx | ||
| index.mdx | ||
| kmip.mdx | ||
| kubernetes.mdx | ||
| ldap.mdx | ||
| mongodbatlas.mdx | ||
| nomad.mdx | ||
| pki.mdx | ||
| rabbitmq.mdx | ||
| ssh.mdx | ||
| terraform.mdx | ||
| totp.mdx | ||
| transform.mdx | ||
| transit.mdx | ||