IETF Logo Mail Archive

Re: [Acme] TLS-ALPN implementation

Felipe Gasper <felipe@felipegasper.com> Mon, 18 June 2018 00:02 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ACD5130E59 for <acme@ietfa.amsl.com>; Sun, 17 Jun 2018 17:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgnxJ336Le_j for <acme@ietfa.amsl.com>; Sun, 17 Jun 2018 17:01:58 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01BA9130DF1 for <acme@ietf.org>; Sun, 17 Jun 2018 17:01:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ViDANh/Bm2/XiZ8mvC/ZjVe7vCQrjFA4rAnwHhQ2A4w=; b=cvy+elfCBKD6k/GHaxy4EFX/3 OHvoJ89jUyZVKrJSgDizj1Z5qrQZd+b9k4vt3icvuKhN1q2UeFaaF+MHiC2ckqrCusfrSkHLYK9N+ vtyCkgI1oyrPpZrBfdERKl/VAEFjqJLTy8n+GHqNmE3OQ1UkYTtg5g4e0lJqb0No8XZZi1dZApNIF lmKJ/10NZYOO55iu8pJBpHwKptz6cfJQmguBX5EXQMZ/M9qtoVX3aEqlcGe380C1Ed4mBlJz4jgdz kimlwAYPb7ooOOfyJBaRVlc6j1hBhyAd4dGbagWzXxHbIQIEw+1MTcJB89y+je8YCVxAdQSq+Tm1D D2n1UZr1w==;
Received: from cpef81d0f822683-cmf81d0f822680.cpe.net.cable.rogers.com ([99.241.66.146]:54666 helo=[192.168.0.21]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <felipe@felipegasper.com>) id 1fUhcJ-00A0wc-Ld; Sun, 17 Jun 2018 19:01:56 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <4A0E1AB3-C311-44CF-9201-65A8E5F8E48F@letsencrypt.org>
Date: Sun, 17 Jun 2018 20:01:54 -0400
Cc: acme@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FDC597BE-92AB-4021-8C6D-6B61CA876029@felipegasper.com>
References: <4A0E1AB3-C311-44CF-9201-65A8E5F8E48F@letsencrypt.org>
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>
X-Mailer: Apple Mail (2.3445.8.2)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/VcjBjHSVOcubc-W5ABMrhUNcs-o>
Subject: Re: [Acme] TLS-ALPN implementation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 00:02:01 -0000

I’ve been playing with this. As far as I can tell I have it set up correctly, but it’s not working.

In response to this challenge:

https://acme-staging-v02.api.letsencrypt.org/acme/challenge/leSSBO7cbljpzjZqGhzqSRm8lphqe1RX_jI3Mx8eEeU/136484133

… I set up this certificate:

-----BEGIN CERTIFICATE-----
MIIDBDCCAe6gAwIBAgIBADALBgkqhkiG9w0BAQswGzEZMBcGA1UEAwwQY29icmFzc2x0ZXN0Lm9y
ZzAiGA8yMDE4MDYxNTIzNTg0MFoYDzIwMTgwNjE5MjM1ODQwWjAbMRkwFwYDVQQDDBBjb2JyYXNz
bHRlc3Qub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyZ7S6Ihzojn36nARYbGY
7ZKQCZHUje/yjeOaSFNzgFtIBSjdlEyYZz5DkAv92ciqH7OJ4InuJFoFT0OwbVHxf0na/fA52XwJ
RjNXWY7p1Qw0ZKqAIyypjcMS4ucnLvPYjGM+xNWtDnLP9Odr/8jNdQDIAehJ4TS11RlX2cv28hwi
BqUcj1whdPFsdUKbyUCzdpKP7BS3UdL8Z7fkc+WxiTQMCaA8/IO/i+1s5ptJSFEZPVU/ZVVEVZrC
EFArImmpWowoCiTxtQdWtS0bHY5RlB5IrGal4ZUgKtKe94AewvpPdy4CH8jrbQeBLcssHoaTdLgT
VsxTAFSRnHcuZ8wfYwIDAQABo1MwUTAbBgNVHREEFDASghBjb2JyYXNzbHRlc3Qub3JnMDIGCSsG
AQUFBwEeAQEB/wQiBCD/wpQDz3i0tjgUXgWWWyb0tP+DGo99DuOt0y1qokwGDjALBgkqhkiG9w0B
AQsDggEBACOzSSZJRUu39glasoTdpEQWwgbxqVoQ5/3Ly8P06C4xavEdgQUrsHOubr6Y4HEFpLpS
U/0tsVmnL3c3AVL6NXY7ffTVRpLYwGA+5oq5tIT/Yp6gqvO0D5JC+y/wfc7OpKU+x7N2NHlBJtPp
mTUYm6KIwYz6qcHheV4vjZPZzZ1M4FFGCKgFItD+9mIoUyH13oKfkJzAPsALJqZFJ279r+4eT3N2
yGX3TZPLFUkaN4rNwSY4GwBVbIUiZ1Tgn5Z/TJTMQYlbr3pMwOe8V2YPO4sXCu2CcT53PrB0T4tH
c0/v1a+kaYYCz3aAgrA9/5VAmnK89h+U/qfvEHSGBzK3w8U=
-----END CERTIFICATE-----

… which has this key:

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAyZ7S6Ihzojn36nARYbGY7ZKQCZHUje/yjeOaSFNzgFtIBSjd
lEyYZz5DkAv92ciqH7OJ4InuJFoFT0OwbVHxf0na/fA52XwJRjNXWY7p1Qw0ZKqA
IyypjcMS4ucnLvPYjGM+xNWtDnLP9Odr/8jNdQDIAehJ4TS11RlX2cv28hwiBqUc
j1whdPFsdUKbyUCzdpKP7BS3UdL8Z7fkc+WxiTQMCaA8/IO/i+1s5ptJSFEZPVU/
ZVVEVZrCEFArImmpWowoCiTxtQdWtS0bHY5RlB5IrGal4ZUgKtKe94AewvpPdy4C
H8jrbQeBLcssHoaTdLgTVsxTAFSRnHcuZ8wfYwIDAQABAoIBAQCTwuBTJt2IAO/e
Uq+KZ3vqcMU7HjMmqrmanzmM1AwL/9nyXha1/sSatZkSUpeCKnvzq8LaWnu7DHZj
tvnvxGQ2o0vpW0sqRqsNVccojYJ1bvJe7E3oeWzxxgtrW3juAiusB3gTDX483ovl
sk0GMoXQv/fU3gZ3FAhG2sH1jnO2zvWhvv/z3qyVxcnTFVvmr+RV9xH6ykXQ8qGR
K+PyqH8IWDwBq3RGofiFS8a0TYapiQp7cFaC0wyZVY+1e1CPwm1A7Koqv3xZBxdH
/puRtbPnxkFrpdYEr65tAoxHKwAt7ju+DQp7RhPlrS014cDgq2qJ8l73ivhAbX5M
sS9xzhJBAoGBAPM2KfCfNrNG7ttkYsg21OQ99gxWcTTava58o2Ei1AZyvydzmFam
uekwJzcLhTRVZg7t5utKRxtbN8DmVJli7132lrxUkn3kzPJGYacSyoSn+XH4lRb0
E0SAgYUd1WiDazNfcNrYLVzriOVnyiKvWP+yYlUSJAfePCADug5eSsrxAoGBANQ4
zqbX4XW0DAN5n7ZBtyCqEag2ihqGDCfEZdp9w5iZSm6nqlZRZ+XRxKzijsTt42Ap
1CnwbaURswYNJw/ZnxZhuHNKqiz8T2mFwcl4OcQhduHioXDaZT2dy/jTu6ov1VQ0
mhx1SGRIakkp1yvElZzFLSJoop+bNISwDhDaHQeTAoGBAIfUEx4wPQNotRNQAB8j
CEikFhsT18uV8mNVdoVURyeGxB0LYOPb325NF0mVpIHyw7nIwbNcW1P64KtZt5um
dlp60fpCHUI0GwWfqv/87Z+ilBxDoTgdffk+75bhb4McCi25urRuEP+ZB25fRbOT
TFgZTvOF2xuN0PRsQGev34NxAoGBAK84D/dVOsOR2nFsE9/JNkfz4ww9q5zmnFah
I29YcwwlVH00VcFbCSuJHJeZn0MdHqShJJlT91NY37TZWy0NAvrZyA740LS/xVlc
pHmRmDBFaQBru9uPlhNfm69gMgv73mjd3XgtpY2W9Jpfv1ZVwyli6zcDqXGaFayQ
J6zmSR2dAoGAT+LDNH98ToNrBhKYinM1FJ36jQ0/IJGbTUE67iw9KFYkAsk2/ZMm
IYbKnkfhoPB/bZlMUYCEA/oJZlaOPgtDEGiSd4bv+x3nkyv+hO2y2YZn2W/8kPSk
wsTjrSCVrzxb7j7r1R9v56aNdZcp2srHK6W+rBME8OuH/lq509v0A48=
-----END RSA PRIVATE KEY-----

It’s telling me “urn:ietf:params:acme:error:connection” (Connection reset by peer) as the challenge’s failure.

My server-side debugging says that the handshake succeeds … is there something amiss in the certificate?


-Felipe


> On Jun 15, 2018, at 2:39 PM, Roland Bracewell Shoemaker <roland@letsencrypt.org> wrote:
> 
> Let’s Encrypt has deployed an implementation[0] of the draft-ietf-acme-tls-alpn-01 validation method on our staging environment[1]. If anyone has a chance to test it out and runs into implementation/specification issues we’d love to hear about them!
> 
> [0] https://github.com/letsencrypt/boulder/blob/2dadd5e09a8228342aa86e8fa4c8d887a82aa4ac/va/va.go#L701-L768
> [1] https://acme-staging.api.letsencrypt.org/
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email