IETF Logo Mail Archive

Re: [Acme] TLS-ALPN implementation

Felipe Gasper <felipe@felipegasper.com> Mon, 18 June 2018 11:04 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB645130DDF for <acme@ietfa.amsl.com>; Mon, 18 Jun 2018 04:04:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.979
X-Spam-Level:
X-Spam-Status: No, score=-0.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SWCSBnYfy_x for <acme@ietfa.amsl.com>; Mon, 18 Jun 2018 04:04:18 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A18130E8F for <acme@ietf.org>; Mon, 18 Jun 2018 04:04:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=In-Reply-To:Cc:References:Message-Id:Date: Subject:Mime-Version:Content-Transfer-Encoding:Content-Type:From:Sender: Reply-To:To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=AgWe6uELdr1HYd6SW14AWW6kjeRYsowj5xAEUDUiahI=; b=UU72NRNfgYay+ZDjEukwmLGoWt y/pXOfbVEhEmNilyEn5kHzKkKCeiJyKSPHUsJEhvLz2jNi2jqn5ICVmCoFglZzkSZ6JF9ehrv656Z lGEkVFg/8C3deUJjxWjTyaYvDzj34bGlJ1wgNbv0dcyg8txClhiuH6xTKhYx31p0dvTIFbffNMXnj C4RZw7+kHoUqlVnuzQAMiTuhlDLoTVrjHJ0siAee0av2xq1HwB9G9yJ1N9R6qAUUufIxRjIVPLjGC lxr6nvSZjkYpKf1c9Ksvba7IXuN4JJ2L0b/fiB6J3cin6ki8giUYTo66lGXWP5oGoWB6lqhq65EFB +9I5V5Ug==;
Received: from cpe9050cab50823-cm9050cab50820.cpe.net.cable.rogers.com ([99.248.56.67]:64211 helo=[192.168.0.15]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <felipe@felipegasper.com>) id 1fUrxD-00BoMo-10 for acme@ietf.org; Mon, 18 Jun 2018 06:04:16 -0500
From: Felipe Gasper <felipe@felipegasper.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Mon, 18 Jun 2018 07:04:11 -0400
Message-Id: <5304F75A-2205-41AB-99D7-AB0F4FB5520F@felipegasper.com>
References: <4A0E1AB3-C311-44CF-9201-65A8E5F8E48F@letsencrypt.org> <FDC597BE-92AB-4021-8C6D-6B61CA876029@felipegasper.com>
Cc: acme@ietf.org
In-Reply-To: <FDC597BE-92AB-4021-8C6D-6B61CA876029@felipegasper.com>
X-Mailer: iPhone Mail (15F79)
X-OutGoing-Spam-Status: No, score=1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Fh3d9sFRG7w5t7DFQACnW9edE_o>
Subject: Re: [Acme] TLS-ALPN implementation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 11:04:21 -0000

Update: I got it working. Seems to have been a server implementation bug on my end.

Sorry for the noise!

-F

> On Jun 17, 2018, at 8:01 PM, Felipe Gasper <felipe@felipegasper.com> wrote:
> 
> I’ve been playing with this. As far as I can tell I have it set up correctly, but it’s not working.
> 
> In response to this challenge:
> 
> https://acme-staging-v02.api.letsencrypt.org/acme/challenge/leSSBO7cbljpzjZqGhzqSRm8lphqe1RX_jI3Mx8eEeU/136484133
> 
> … I set up this certificate:
> 
> -----BEGIN CERTIFICATE-----
> MIIDBDCCAe6gAwIBAgIBADALBgkqhkiG9w0BAQswGzEZMBcGA1UEAwwQY29icmFzc2x0ZXN0Lm9y
> ZzAiGA8yMDE4MDYxNTIzNTg0MFoYDzIwMTgwNjE5MjM1ODQwWjAbMRkwFwYDVQQDDBBjb2JyYXNz
> bHRlc3Qub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyZ7S6Ihzojn36nARYbGY
> 7ZKQCZHUje/yjeOaSFNzgFtIBSjdlEyYZz5DkAv92ciqH7OJ4InuJFoFT0OwbVHxf0na/fA52XwJ
> RjNXWY7p1Qw0ZKqAIyypjcMS4ucnLvPYjGM+xNWtDnLP9Odr/8jNdQDIAehJ4TS11RlX2cv28hwi
> BqUcj1whdPFsdUKbyUCzdpKP7BS3UdL8Z7fkc+WxiTQMCaA8/IO/i+1s5ptJSFEZPVU/ZVVEVZrC
> EFArImmpWowoCiTxtQdWtS0bHY5RlB5IrGal4ZUgKtKe94AewvpPdy4CH8jrbQeBLcssHoaTdLgT
> VsxTAFSRnHcuZ8wfYwIDAQABo1MwUTAbBgNVHREEFDASghBjb2JyYXNzbHRlc3Qub3JnMDIGCSsG
> AQUFBwEeAQEB/wQiBCD/wpQDz3i0tjgUXgWWWyb0tP+DGo99DuOt0y1qokwGDjALBgkqhkiG9w0B
> AQsDggEBACOzSSZJRUu39glasoTdpEQWwgbxqVoQ5/3Ly8P06C4xavEdgQUrsHOubr6Y4HEFpLpS
> U/0tsVmnL3c3AVL6NXY7ffTVRpLYwGA+5oq5tIT/Yp6gqvO0D5JC+y/wfc7OpKU+x7N2NHlBJtPp
> mTUYm6KIwYz6qcHheV4vjZPZzZ1M4FFGCKgFItD+9mIoUyH13oKfkJzAPsALJqZFJ279r+4eT3N2
> yGX3TZPLFUkaN4rNwSY4GwBVbIUiZ1Tgn5Z/TJTMQYlbr3pMwOe8V2YPO4sXCu2CcT53PrB0T4tH
> c0/v1a+kaYYCz3aAgrA9/5VAmnK89h+U/qfvEHSGBzK3w8U=
> -----END CERTIFICATE-----
> 
> … which has this key:
> 
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQIBAAKCAQEAyZ7S6Ihzojn36nARYbGY7ZKQCZHUje/yjeOaSFNzgFtIBSjd
> lEyYZz5DkAv92ciqH7OJ4InuJFoFT0OwbVHxf0na/fA52XwJRjNXWY7p1Qw0ZKqA
> IyypjcMS4ucnLvPYjGM+xNWtDnLP9Odr/8jNdQDIAehJ4TS11RlX2cv28hwiBqUc
> j1whdPFsdUKbyUCzdpKP7BS3UdL8Z7fkc+WxiTQMCaA8/IO/i+1s5ptJSFEZPVU/
> ZVVEVZrCEFArImmpWowoCiTxtQdWtS0bHY5RlB5IrGal4ZUgKtKe94AewvpPdy4C
> H8jrbQeBLcssHoaTdLgTVsxTAFSRnHcuZ8wfYwIDAQABAoIBAQCTwuBTJt2IAO/e
> Uq+KZ3vqcMU7HjMmqrmanzmM1AwL/9nyXha1/sSatZkSUpeCKnvzq8LaWnu7DHZj
> tvnvxGQ2o0vpW0sqRqsNVccojYJ1bvJe7E3oeWzxxgtrW3juAiusB3gTDX483ovl
> sk0GMoXQv/fU3gZ3FAhG2sH1jnO2zvWhvv/z3qyVxcnTFVvmr+RV9xH6ykXQ8qGR
> K+PyqH8IWDwBq3RGofiFS8a0TYapiQp7cFaC0wyZVY+1e1CPwm1A7Koqv3xZBxdH
> /puRtbPnxkFrpdYEr65tAoxHKwAt7ju+DQp7RhPlrS014cDgq2qJ8l73ivhAbX5M
> sS9xzhJBAoGBAPM2KfCfNrNG7ttkYsg21OQ99gxWcTTava58o2Ei1AZyvydzmFam
> uekwJzcLhTRVZg7t5utKRxtbN8DmVJli7132lrxUkn3kzPJGYacSyoSn+XH4lRb0
> E0SAgYUd1WiDazNfcNrYLVzriOVnyiKvWP+yYlUSJAfePCADug5eSsrxAoGBANQ4
> zqbX4XW0DAN5n7ZBtyCqEag2ihqGDCfEZdp9w5iZSm6nqlZRZ+XRxKzijsTt42Ap
> 1CnwbaURswYNJw/ZnxZhuHNKqiz8T2mFwcl4OcQhduHioXDaZT2dy/jTu6ov1VQ0
> mhx1SGRIakkp1yvElZzFLSJoop+bNISwDhDaHQeTAoGBAIfUEx4wPQNotRNQAB8j
> CEikFhsT18uV8mNVdoVURyeGxB0LYOPb325NF0mVpIHyw7nIwbNcW1P64KtZt5um
> dlp60fpCHUI0GwWfqv/87Z+ilBxDoTgdffk+75bhb4McCi25urRuEP+ZB25fRbOT
> TFgZTvOF2xuN0PRsQGev34NxAoGBAK84D/dVOsOR2nFsE9/JNkfz4ww9q5zmnFah
> I29YcwwlVH00VcFbCSuJHJeZn0MdHqShJJlT91NY37TZWy0NAvrZyA740LS/xVlc
> pHmRmDBFaQBru9uPlhNfm69gMgv73mjd3XgtpY2W9Jpfv1ZVwyli6zcDqXGaFayQ
> J6zmSR2dAoGAT+LDNH98ToNrBhKYinM1FJ36jQ0/IJGbTUE67iw9KFYkAsk2/ZMm
> IYbKnkfhoPB/bZlMUYCEA/oJZlaOPgtDEGiSd4bv+x3nkyv+hO2y2YZn2W/8kPSk
> wsTjrSCVrzxb7j7r1R9v56aNdZcp2srHK6W+rBME8OuH/lq509v0A48=
> -----END RSA PRIVATE KEY-----
> 
> It’s telling me “urn:ietf:params:acme:error:connection” (Connection reset by peer) as the challenge’s failure.
> 
> My server-side debugging says that the handshake succeeds … is there something amiss in the certificate?
> 
> 
> -Felipe
> 
> 
>> On Jun 15, 2018, at 2:39 PM, Roland Bracewell Shoemaker <roland@letsencrypt.org> wrote:
>> 
>> Let’s Encrypt has deployed an implementation[0] of the draft-ietf-acme-tls-alpn-01 validation method on our staging environment[1]. If anyone has a chance to test it out and runs into implementation/specification issues we’d love to hear about them!
>> 
>> [0] https://github.com/letsencrypt/boulder/blob/2dadd5e09a8228342aa86e8fa4c8d887a82aa4ac/va/va.go#L701-L768
>> [1] https://acme-staging.api.letsencrypt.org/
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email