search

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
https://eclipse.dev/jetty
Other
3.86k stars 1.91k forks source link

Support RFC 8737 #9085

Open sbordet opened 1 year ago

sbordet commented 1 year ago

Jetty version(s) 10+

Enhancement Description RFC 8737 describes a method to validate domain names via the tls-alpn-01 challenge.

Upon the request for a new certificate, or renew of expired ones, for an origin server, an ACME client performs a challenge, by connecting to the origin server with alpn=acme-tls/1. The server should reply with a specific certificate as defined in the RFC (this requires wrapping the KeyManager to identify the right alias for the specific ALPN protocol). Once the client has the right certificate, it can contact the CA and download the CA-signed new, or renewed, certificate. The downloaded certificate can be stored in a KeyStore, and the existing KeyStoreScanner functionality can reload the KeyStore on-the-fly without having to restart the origin server.

sbordet commented 1 year ago

The ConnectionFactory that drives the TLS handshake to the end for the ACME client challenge.

public class ACMETLS1ServerConnectionFactory extends AbstractConnectionFactory
{
    public ACMETLS1ServerConnectionFactory()
    {
        super("acme-tls/1");
    }

    @Override
    public Connection newConnection(Connector connector, EndPoint endPoint)
    {
        EndPoint current = endPoint;
        SslConnection.DecryptedEndPoint sslEndPoint = null;
        while (true)
        {
            if (current instanceof SslConnection.DecryptedEndPoint)
            {
                sslEndPoint = (SslConnection.DecryptedEndPoint)current;
                break;
            }
            else if (current instanceof EndPoint.Wrapper)
            {
                current = ((EndPoint.Wrapper)endPoint).unwrap();
            }
            else
            {
                throw new IllegalArgumentException("Invalid ConnectionFactory configuration");
            }
        }
        ACMETLS1ServerConnection connection = new ACMETLS1ServerConnection(connector, endPoint);
        sslEndPoint.getSslConnection().addHandshakeListener(connection);
        return configure(connection, connector, endPoint);
    }

    private static class ACMETLS1ServerConnection extends AbstractConnection implements SslHandshakeListener
    {
        private boolean handshakeComplete;

        public ACMETLS1ServerConnection(Connector connector, EndPoint endPoint)
        {
            super(endPoint, connector.getExecutor());
        }

        @Override
        public void onOpen()
        {
            super.onOpen();
            fillInterested();
        }

        @Override
        public void onFillable()
        {
            try
            {
                // Advance the TLS handshake until it's completed.
                int filled = getEndPoint().fill(BufferUtil.EMPTY_BUFFER);
                if (filled < 0)
                    close();
                else if (!handshakeComplete)
                    fillInterested();
            }
            catch (IOException x)
            {
                getEndPoint().close(x);
            }
        }

        @Override
        public void handshakeSucceeded(Event event) throws SSLException
        {
            handshakeComplete = true;
            // After the handshake is succeeded, the client has the
            // ACME certificate and the connection can be closed.
            close();
        }

        @Override
        public void handshakeFailed(Event event, Throwable failure)
        {
            handshakeComplete = true;
            getEndPoint().close(failure);
        }
    }
}
Maurice-Betzel commented 1 year ago

You just given me the second best Christmas present today Simone:

2022-12-24T12:23:22,160 | DEBUG | pipe-acme:request | ActionRequest                    | 231 - eu.abeel.platform.security.acme.command - 1.0.0 | Triggering request certificate
2022-12-24T12:23:22,187 | DEBUG | AcmeQuartzScheduler_Worker-1 | ACMERequestJob                   | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Triggering request account on ACME server acme://pebble
2022-12-24T12:23:22,193 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | GET https://localhost:14000/dir
2022-12-24T12:23:22,337 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:22,338 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:22,338 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 406
2022-12-24T12:23:22,339 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:22 GMT
2022-12-24T12:23:22,339 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:22,350 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"keyChange":"https://localhost:14000/rollover-account-key","meta":{"externalAccountRequired":false,"termsOfService":"data:text/plain,Do%20what%20thou%20wilt"},"newAccount":"https://localhost:14000/sign-me-up","newNonce":"https://localhost:14000/nonce-plz","newOrder":"https://localhost:14000/order-plz","revokeCert":"https://localhost:14000/revoke-cert"}
2022-12-24T12:23:22,360 | DEBUG | AcmeQuartzScheduler_Worker-1 | ACMESchedulerService             | 233 - eu.abeel.platform.security.acme.service - 1.0.0 | Unable to open URL containing terms of ACME service!
2022-12-24T12:23:22,639 | DEBUG | AcmeQuartzScheduler_Worker-1 | AccountBuilder                   | 227 - acme4j-client - 2.15.0 | create
2022-12-24T12:23:22,640 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | GET https://localhost:14000/dir
2022-12-24T12:23:22,645 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:22,645 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:22,645 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 406
2022-12-24T12:23:22,646 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:22 GMT
2022-12-24T12:23:22,646 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:22,647 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"keyChange":"https://localhost:14000/rollover-account-key","meta":{"externalAccountRequired":false,"termsOfService":"data:text/plain,Do%20what%20thou%20wilt"},"newAccount":"https://localhost:14000/sign-me-up","newNonce":"https://localhost:14000/nonce-plz","newOrder":"https://localhost:14000/order-plz","revokeCert":"https://localhost:14000/revoke-cert"}
2022-12-24T12:23:22,648 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | GET https://localhost:14000/dir
2022-12-24T12:23:22,649 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:22,649 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:22,650 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 406
2022-12-24T12:23:22,650 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:22 GMT
2022-12-24T12:23:22,651 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:22,652 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"keyChange":"https://localhost:14000/rollover-account-key","meta":{"externalAccountRequired":false,"termsOfService":"data:text/plain,Do%20what%20thou%20wilt"},"newAccount":"https://localhost:14000/sign-me-up","newNonce":"https://localhost:14000/nonce-plz","newOrder":"https://localhost:14000/order-plz","revokeCert":"https://localhost:14000/revoke-cert"}
2022-12-24T12:23:22,652 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEAD https://localhost:14000/nonce-plz
2022-12-24T12:23:22,655 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:22,655 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:22,656 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: cJNyS8eeGwjkPjm_GwCKeA
2022-12-24T12:23:22,656 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:22 GMT
2022-12-24T12:23:22,657 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:22,657 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: cJNyS8eeGwjkPjm_GwCKeA
2022-12-24T12:23:22,740 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST https://localhost:14000/sign-me-up
2022-12-24T12:23:22,741 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   Payload: {"contact":["mailto:m.betzel@gaston-schul.com"],"termsOfServiceAgreed":true}
2022-12-24T12:23:22,741 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/sign-me-up","jwk":{"kty":"RSA","n":"i8qgX1Dy4Dx3lfxM9NyesHxPAKSCo-U6_LyNF5UoC3urWkf60c59nE59r5PqNltI0CHrtq3zPJtAZQDA7QYoB10muxl4tKqvJpeO5Q6bDiYAS_4eWgFZIqU_Ani9GsEq_81_VeBbQAfvHR5BMu9F6bpstEpMiVRCA3-tUpTc09Y9Zl9SNN2iVFE7WYNVnT-5jXgrSRxEE_rzLDKeQZqH879vXz7y9Mi10BNqHY4547xnYD61GSRdYp1SzUGSTEWhK8MmGmv-nXt9WudY_6L873l_egBB_xRkSEurnsq0DqyjpKxxnEsSoUgUypPLiGe7wTkZkXMZ1IJcxOVd8yZJGw","e":"AQAB"},"nonce":"cJNyS8eeGwjkPjm_GwCKeA","alg":"RS256"}
2022-12-24T12:23:22,752 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 201 Created
2022-12-24T12:23:22,752 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:22,752 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: U3mHRwy7BSKJdg1pVvK1Xw
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 569
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:22 GMT
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Location: https://localhost:14000/my-account/274cdd118e0715c1
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:22,753 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: U3mHRwy7BSKJdg1pVvK1Xw
2022-12-24T12:23:22,754 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Location: https://localhost:14000/my-account/274cdd118e0715c1
2022-12-24T12:23:22,756 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"status":"valid","contact":["mailto:m.betzel@gaston-schul.com"],"orders":"https://localhost:14000/list-orderz/274cdd118e0715c1","key":{"kty":"RSA","n":"i8qgX1Dy4Dx3lfxM9NyesHxPAKSCo-U6_LyNF5UoC3urWkf60c59nE59r5PqNltI0CHrtq3zPJtAZQDA7QYoB10muxl4tKqvJpeO5Q6bDiYAS_4eWgFZIqU_Ani9GsEq_81_VeBbQAfvHR5BMu9F6bpstEpMiVRCA3-tUpTc09Y9Zl9SNN2iVFE7WYNVnT-5jXgrSRxEE_rzLDKeQZqH879vXz7y9Mi10BNqHY4547xnYD61GSRdYp1SzUGSTEWhK8MmGmv-nXt9WudY_6L873l_egBB_xRkSEurnsq0DqyjpKxxnEsSoUgUypPLiGe7wTkZkXMZ1IJcxO
2022-12-24T12:23:22,760 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMEActionJobListener            | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Job ACMERequestJob in group acme.action.job.group executed in 587 ms
2022-12-24T12:23:22,760 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMEActionJobListener            | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Created ACME account https://localhost:14000/my-account/274cdd118e0715c1 having status VALID on ACME server acme://pebble
2022-12-24T12:23:28,254 | DEBUG | pipe-acme:renew  | ActionRenew                      | 231 - eu.abeel.platform.security.acme.command - 1.0.0 | Triggering certificate renewal on scheduler AcmeQuartzScheduler
2022-12-24T12:23:28,274 | DEBUG | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Triggering renew certificate job for account https://localhost:14000/my-account/274cdd118e0715c1 on ACME server acme://pebble
2022-12-24T12:23:28,277 | DEBUG | AcmeQuartzScheduler_Worker-1 | OrderBuilder                     | 227 - acme4j-client - 2.15.0 | create
2022-12-24T12:23:28,278 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | GET https://localhost:14000/dir
2022-12-24T12:23:28,297 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:28,297 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:28,297 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 406
2022-12-24T12:23:28,298 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:28 GMT
2022-12-24T12:23:28,298 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:28,299 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"keyChange":"https://localhost:14000/rollover-account-key","meta":{"externalAccountRequired":false,"termsOfService":"data:text/plain,Do%20what%20thou%20wilt"},"newAccount":"https://localhost:14000/sign-me-up","newNonce":"https://localhost:14000/nonce-plz","newOrder":"https://localhost:14000/order-plz","revokeCert":"https://localhost:14000/revoke-cert"}
2022-12-24T12:23:28,300 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | GET https://localhost:14000/dir
2022-12-24T12:23:28,301 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:28,301 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:28,301 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 406
2022-12-24T12:23:28,301 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:28 GMT
2022-12-24T12:23:28,302 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:28,302 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"keyChange":"https://localhost:14000/rollover-account-key","meta":{"externalAccountRequired":false,"termsOfService":"data:text/plain,Do%20what%20thou%20wilt"},"newAccount":"https://localhost:14000/sign-me-up","newNonce":"https://localhost:14000/nonce-plz","newOrder":"https://localhost:14000/order-plz","revokeCert":"https://localhost:14000/revoke-cert"}
2022-12-24T12:23:28,302 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEAD https://localhost:14000/nonce-plz
2022-12-24T12:23:28,305 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:28,305 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:28,306 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: R-Gd_OWiJUPRAa_E4ykZbw
2022-12-24T12:23:28,306 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:28 GMT
2022-12-24T12:23:28,306 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:28,307 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: R-Gd_OWiJUPRAa_E4ykZbw
2022-12-24T12:23:28,311 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST https://localhost:14000/order-plz
2022-12-24T12:23:28,311 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   Payload: {"identifiers":[{"type":"dns","value":"localhost"}]}
2022-12-24T12:23:28,311 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/order-plz","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"R-Gd_OWiJUPRAa_E4ykZbw","alg":"RS256"}
2022-12-24T12:23:28,317 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 201 Created
2022-12-24T12:23:28,318 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:28,318 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: OHyfUsagmPEVhQm1byk6fw
2022-12-24T12:23:28,318 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 372
2022-12-24T12:23:28,319 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:28 GMT
2022-12-24T12:23:28,319 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:28,319 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Location: https://localhost:14000/my-order/UrozbAqSXquiW9l1tOhA-mm9xCjhwnNk-_eloNUwtWE
2022-12-24T12:23:28,320 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:28,320 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: OHyfUsagmPEVhQm1byk6fw
2022-12-24T12:23:28,320 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Location: https://localhost:14000/my-order/UrozbAqSXquiW9l1tOhA-mm9xCjhwnNk-_eloNUwtWE
2022-12-24T12:23:28,322 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"status":"pending","expires":"2022-12-25T11:23:28Z","identifiers":[{"type":"dns","value":"localhost"}],"finalize":"https://localhost:14000/finalize-order/UrozbAqSXquiW9l1tOhA-mm9xCjhwnNk-_eloNUwtWE","authorizations":["https://localhost:14000/authZ/8_FbY9kz9fbmLVP_QfuB9U8tHctM9e7V9HLZuCFUJxA"]}
2022-12-24T12:23:28,324 | DEBUG | AcmeQuartzScheduler_Worker-1 | AcmeJsonResource                 | 227 - acme4j-client - 2.15.0 | update Authorization
2022-12-24T12:23:28,329 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST-as-GET https://localhost:14000/authZ/8_FbY9kz9fbmLVP_QfuB9U8tHctM9e7V9HLZuCFUJxA
2022-12-24T12:23:28,329 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/authZ/8_FbY9kz9fbmLVP_QfuB9U8tHctM9e7V9HLZuCFUJxA","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"OHyfUsagmPEVhQm1byk6fw","alg":"RS256"}
2022-12-24T12:23:28,347 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:28,347 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:28,347 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: N2RQuKASd8TQkFIH9a5hSw
2022-12-24T12:23:28,347 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 860
2022-12-24T12:23:28,347 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:28 GMT
2022-12-24T12:23:28,348 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:28,348 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:28,348 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: N2RQuKASd8TQkFIH9a5hSw
2022-12-24T12:23:28,349 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"status":"pending","identifier":{"type":"dns","value":"localhost"},"challenges":[{"type":"http-01","url":"https://localhost:14000/chalZ/480A0BbEfOYlr6f3KFXvoCa3LaF9sm_f96Yi0qy_YOA","token":"07youcNPlTnGcs4bWTfGZ7vpzOjKt8MrcytvxiYE_II","status":"pending"},{"type":"dns-01","url":"https://localhost:14000/chalZ/HW4KoPSnxATK00T3O1Gy2MBdHsjucgmbuYA_eE1Qa5s","token":"0PUR6XeVcsTKclV4BD1RpWdxBRInbCau_3AQiCGx8dg","status":"pending"},{"type":"tls-alpn-01","url":"https://localhost:14000/chalZ
2022-12-24T12:23:28,349 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Authorization for pending domain: localhost
2022-12-24T12:23:29,122 | DEBUG | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Added TLS ALPN challenge certificate to key store
2022-12-24T12:23:34,606 | DEBUG | Scanner-0        | KeyStoreScanner                  | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | changed C:\Users\betzm\Development\karaf\runtime-3.2.1\etc\keystore\digital.gaston-schul.com.jks
2022-12-24T12:23:34,607 | DEBUG | Scanner-0        | KeyStoreScanner                  | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | reloading keystore file C:\Users\betzm\Development\karaf\runtime-3.2.1\etc\keystore\digital.gaston-schul.com.jks
2022-12-24T12:23:34,616 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate alias=digital.gaston-schul.com SAN dns=digital.gaston-schul.com in X509@7fa7de86(digital.gaston-schul.com,h=[],a=[],w=[])
2022-12-24T12:23:34,617 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate CN alias=digital.gaston-schul.com CN=digital.gaston-schul.com in X509@7fa7de86(digital.gaston-schul.com,h=[digital.gaston-schul.com],a=[],w=[])
2022-12-24T12:23:34,617 | INFO  | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | x509=X509@7fa7de86(digital.gaston-schul.com,h=[digital.gaston-schul.com],a=[],w=[]) for Server@715f511f[provider=null,keyStore=file:///C:/Users/betzm/Development/karaf/runtime-3.2.1/etc/keystore/digital.gaston-schul.com.jks,trustStore=null]
2022-12-24T12:23:34,618 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate alias=acme_challenge_key SAN dns=localhost in X509@6738f9a8(acme_challenge_key,h=[],a=[],w=[])
2022-12-24T12:23:34,618 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate CN alias=acme_challenge_key CN=acme.invalid in X509@6738f9a8(acme_challenge_key,h=[localhost],a=[],w=[])
2022-12-24T12:23:34,619 | INFO  | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | x509=X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]) for Server@715f511f[provider=null,keyStore=file:///C:/Users/betzm/Development/karaf/runtime-3.2.1/etc/keystore/digital.gaston-schul.com.jks,trustStore=null]
2022-12-24T12:23:34,619 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate alias=acme_challenge_cert SAN dns=localhost in X509@478255ad(acme_challenge_cert,h=[],a=[],w=[])
2022-12-24T12:23:34,619 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate CN alias=acme_challenge_cert CN=acme.invalid in X509@478255ad(acme_challenge_cert,h=[localhost],a=[],w=[])
2022-12-24T12:23:34,620 | INFO  | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | x509=X509@478255ad(acme_challenge_cert,h=[localhost, acme.invalid],a=[],w=[]) for Server@715f511f[provider=null,keyStore=file:///C:/Users/betzm/Development/karaf/runtime-3.2.1/etc/keystore/digital.gaston-schul.com.jks,trustStore=null]
2022-12-24T12:23:34,620 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate alias=digital.gaston-schul.com (r3) SAN dns=digital.gaston-schul.com in X509@119e399c(digital.gaston-schul.com (r3),h=[],a=[],w=[])
2022-12-24T12:23:34,620 | DEBUG | Scanner-0        | X509                             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Certificate CN alias=digital.gaston-schul.com (r3) CN=digital.gaston-schul.com in X509@119e399c(digital.gaston-schul.com (r3),h=[digital.gaston-schul.com],a=[],w=[])
2022-12-24T12:23:34,621 | INFO  | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | x509=X509@119e399c(digital.gaston-schul.com (r3),h=[digital.gaston-schul.com],a=[],w=[]) for Server@715f511f[provider=null,keyStore=file:///C:/Users/betzm/Development/karaf/runtime-3.2.1/etc/keystore/digital.gaston-schul.com.jks,trustStore=null]
2022-12-24T12:23:34,622 | DEBUG | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | managers=[org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager@70d9d0d7] for Server@715f511f[provider=null,keyStore=file:///C:/Users/betzm/Development/karaf/runtime-3.2.1/etc/keystore/digital.gaston-schul.com.jks,trustStore=null]
2022-12-24T12:23:34,623 | DEBUG | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selected Protocols [TLSv1.2] of [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
2022-12-24T12:23:34,623 | DEBUG | Scanner-0        | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selected Ciphers   [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_
2022-12-24T12:23:40,129 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Triggering ACME server TLS ALPN challenge
2022-12-24T12:23:40,130 | DEBUG | AcmeQuartzScheduler_Worker-1 | Challenge                        | 227 - acme4j-client - 2.15.0 | trigger
2022-12-24T12:23:40,137 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM
2022-12-24T12:23:40,137 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   Payload: {}
2022-12-24T12:23:40,137 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"N2RQuKASd8TQkFIH9a5hSw","alg":"RS256"}
2022-12-24T12:23:40,154 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:40,155 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:40,156 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: Nydx4ohz3TN_WF-Z2BS64A
2022-12-24T12:23:40,156 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 198
2022-12-24T12:23:40,156 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:40 GMT
2022-12-24T12:23:40,157 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/authZ/8_FbY9kz9fbmLVP_QfuB9U8tHctM9e7V9HLZuCFUJxA>;rel="up"
2022-12-24T12:23:40,157 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:40,157 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:40,157 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: Nydx4ohz3TN_WF-Z2BS64A
2022-12-24T12:23:40,158 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"type":"tls-alpn-01","url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","token":"eB4QYO5eG_w5SYQWVpDCoXVbd_qLdvYOPOHry8Jeh84","status":"pending"}
2022-12-24T12:23:40,180 | DEBUG | qtp799632226-144 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Customize sun.security.ssl.SSLEngineImpl@2b8808bd
2022-12-24T12:23:40,188 | DEBUG | qtp799632226-144 | ALPNServerConnectionFactory      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | org.eclipse.jetty.alpn.openjdk8.server.OpenJDK8ServerALPNProcessor@6881894c for sun.security.ssl.SSLEngineImpl@2b8808bd on DecryptedEndPoint@47f01973{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64160,OPEN,fill=-,flush=-,to=1/30000}
2022-12-24T12:23:40,198 | DEBUG | qtp799632226-146 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI matching for type=host_name (0), value=localhost
2022-12-24T12:23:40,198 | DEBUG | qtp799632226-146 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI host name localhost
2022-12-24T12:23:40,202 | DEBUG | qtp799632226-146 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@2b8808bd
2022-12-24T12:23:40,203 | DEBUG | qtp799632226-146 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@2b8808bd
2022-12-24T12:23:40,205 | DEBUG | qtp799632226-146 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selecting alias: keyType=RSA, sni=localhost, sniRequired=false, certs=[X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]), X509@119e399c(digital.gaston-schul.com (r3),h=[digital.gaston-schul.com],a=[],w=[])]
2022-12-24T12:23:40,206 | DEBUG | qtp799632226-146 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selected alias=acme_challenge_key
2022-12-24T12:23:40,207 | DEBUG | qtp799632226-146 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Matched SNI localhost with alias acme_challenge_key, certificate X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]) from aliases [acme_challenge_key, digital.gaston-schul.com (r3)]
2022-12-24T12:23:40,208 | DEBUG | qtp799632226-146 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=acme_challenge_key keyType=RSA on sun.security.ssl.SSLEngineImpl@2b8808bd
2022-12-24T12:23:40,211 | DEBUG | qtp799632226-146 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | apply ALPNServerConnection@3805f65d::DecryptedEndPoint@47f01973{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64160,OPEN,fill=-,flush=-,to=20/30000} [acme-tls/1]
2022-12-24T12:23:40,211 | DEBUG | qtp799632226-146 | ALPNServerConnection             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Protocol selected acme-tls/1 from client[acme-tls/1] and server[acme-tls/1, h2] on DecryptedEndPoint@47f01973{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64160,OPEN,fill=-,flush=-,to=20/30000}
2022-12-24T12:23:40,228 | DEBUG | qtp799632226-146 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | TLS handshake succeeded, protocol=acme-tls/1 for ALPNServerConnection@3805f65d::DecryptedEndPoint@47f01973{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64160,OPEN,fill=-,flush=-,to=36/30000}
2022-12-24T12:23:40,229 | DEBUG | qtp799632226-146 | NegotiatingServerConnection      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | ALPNServerConnection@3805f65d::DecryptedEndPoint@47f01973{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64160,OPEN,fill=-,flush=-,to=37/30000} detected close on client side
2022-12-24T12:23:43,169 | DEBUG | AcmeQuartzScheduler_Worker-1 | AcmeJsonResource                 | 227 - acme4j-client - 2.15.0 | update TlsAlpn01Challenge
2022-12-24T12:23:43,175 | DEBUG | qtp799632226-146 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Customize sun.security.ssl.SSLEngineImpl@5f10e803
2022-12-24T12:23:43,175 | DEBUG | qtp799632226-147 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Customize sun.security.ssl.SSLEngineImpl@1880d439
2022-12-24T12:23:43,176 | DEBUG | qtp799632226-146 | ALPNServerConnectionFactory      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | org.eclipse.jetty.alpn.openjdk8.server.OpenJDK8ServerALPNProcessor@6881894c for sun.security.ssl.SSLEngineImpl@5f10e803 on DecryptedEndPoint@eaeb523{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64162,OPEN,fill=-,flush=-,to=0/30000}
2022-12-24T12:23:43,177 | DEBUG | qtp799632226-147 | ALPNServerConnectionFactory      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | org.eclipse.jetty.alpn.openjdk8.server.OpenJDK8ServerALPNProcessor@6881894c for sun.security.ssl.SSLEngineImpl@1880d439 on DecryptedEndPoint@16472959{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64163,OPEN,fill=-,flush=-,to=0/30000}
2022-12-24T12:23:43,182 | DEBUG | qtp799632226-131 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI matching for type=host_name (0), value=localhost
2022-12-24T12:23:43,183 | DEBUG | qtp799632226-134 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI matching for type=host_name (0), value=localhost
2022-12-24T12:23:43,183 | DEBUG | qtp799632226-134 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI host name localhost
2022-12-24T12:23:43,183 | DEBUG | qtp799632226-131 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | SNI host name localhost
2022-12-24T12:23:43,183 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST-as-GET https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM
2022-12-24T12:23:43,184 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"Nydx4ohz3TN_WF-Z2BS64A","alg":"RS256"}
2022-12-24T12:23:43,184 | DEBUG | qtp799632226-134 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@1880d439
2022-12-24T12:23:43,184 | DEBUG | qtp799632226-131 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@5f10e803
2022-12-24T12:23:43,185 | DEBUG | qtp799632226-134 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@1880d439
2022-12-24T12:23:43,185 | DEBUG | qtp799632226-131 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=null keyType=EC on sun.security.ssl.SSLEngineImpl@5f10e803
2022-12-24T12:23:43,185 | DEBUG | qtp799632226-134 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selecting alias: keyType=RSA, sni=localhost, sniRequired=false, certs=[X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]), X509@119e399c(digital.gaston-schul.com (r3),h=[digital.gaston-schul.com],a=[],w=[])]
2022-12-24T12:23:43,185 | DEBUG | qtp799632226-131 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selecting alias: keyType=RSA, sni=localhost, sniRequired=false, certs=[X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]), X509@119e399c(digital.gaston-schul.com (r3),h=[digital.gaston-schul.com],a=[],w=[])]
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-134 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selected alias=acme_challenge_key
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-131 | SslContextFactory                | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Selected alias=acme_challenge_key
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-134 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Matched SNI localhost with alias acme_challenge_key, certificate X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]) from aliases [acme_challenge_key, digital.gaston-schul.com (r3)]
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-131 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Matched SNI localhost with alias acme_challenge_key, certificate X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]) from aliases [acme_challenge_key, digital.gaston-schul.com (r3)]
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-134 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=acme_challenge_key keyType=RSA on sun.security.ssl.SSLEngineImpl@1880d439
2022-12-24T12:23:43,186 | DEBUG | qtp799632226-131 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Chose explicit alias=acme_challenge_key keyType=RSA on sun.security.ssl.SSLEngineImpl@5f10e803
2022-12-24T12:23:43,188 | DEBUG | qtp799632226-131 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | apply ALPNServerConnection@7fc7646a::DecryptedEndPoint@eaeb523{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64162,OPEN,fill=-,flush=-,to=11/30000} [acme-tls/1]
2022-12-24T12:23:43,188 | DEBUG | qtp799632226-134 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | apply ALPNServerConnection@10e69452::DecryptedEndPoint@16472959{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64163,OPEN,fill=-,flush=-,to=8/30000} [acme-tls/1]
2022-12-24T12:23:43,188 | DEBUG | qtp799632226-131 | ALPNServerConnection             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Protocol selected acme-tls/1 from client[acme-tls/1] and server[acme-tls/1, h2] on DecryptedEndPoint@eaeb523{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64162,OPEN,fill=-,flush=-,to=11/30000}
2022-12-24T12:23:43,188 | DEBUG | qtp799632226-134 | ALPNServerConnection             | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Protocol selected acme-tls/1 from client[acme-tls/1] and server[acme-tls/1, h2] on DecryptedEndPoint@16472959{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64163,OPEN,fill=-,flush=-,to=9/30000}
2022-12-24T12:23:43,202 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:43,202 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:43,204 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: JzwsfifP0Py4r-tY2x2Xag
2022-12-24T12:23:43,204 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 238
2022-12-24T12:23:43,204 | DEBUG | qtp799632226-146 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | TLS handshake succeeded, protocol=acme-tls/1 for ALPNServerConnection@10e69452::DecryptedEndPoint@16472959{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64163,OPEN,fill=-,flush=-,to=10/30000}
2022-12-24T12:23:43,204 | DEBUG | qtp799632226-144 | OpenJDK8ServerALPNProcessor      | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | TLS handshake succeeded, protocol=acme-tls/1 for ALPNServerConnection@7fc7646a::DecryptedEndPoint@eaeb523{l=/0:0:0:0:0:0:0:1:8444,r=/0:0:0:0:0:0:0:1:64162,OPEN,fill=-,flush=-,to=10/30000}
2022-12-24T12:23:43,204 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:43 GMT
2022-12-24T12:23:43,204 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:43,205 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:43,205 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: JzwsfifP0Py4r-tY2x2Xag
2022-12-24T12:23:43,206 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"type":"tls-alpn-01","url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","token":"eB4QYO5eG_w5SYQWVpDCoXVbd_qLdvYOPOHry8Jeh84","status":"pending","validated":"2022-12-24T11:23:40Z"}
2022-12-24T12:23:46,219 | DEBUG | AcmeQuartzScheduler_Worker-1 | AcmeJsonResource                 | 227 - acme4j-client - 2.15.0 | update TlsAlpn01Challenge
2022-12-24T12:23:46,226 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST-as-GET https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM
2022-12-24T12:23:46,226 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"JzwsfifP0Py4r-tY2x2Xag","alg":"RS256"}
2022-12-24T12:23:46,239 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:46,239 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:46,239 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: v2DjaQ6ZXBcSrd3uJWweUw
2022-12-24T12:23:46,240 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 236
2022-12-24T12:23:46,240 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:46 GMT
2022-12-24T12:23:46,240 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:46,241 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:46,241 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: v2DjaQ6ZXBcSrd3uJWweUw
2022-12-24T12:23:46,241 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"type":"tls-alpn-01","url":"https://localhost:14000/chalZ/64BMRKkXnogVVoSg8z0CvZOURnXDlfkMX8Yt4NHwkBM","token":"eB4QYO5eG_w5SYQWVpDCoXVbd_qLdvYOPOHry8Jeh84","status":"valid","validated":"2022-12-24T11:23:40Z"}
2022-12-24T12:23:46,242 | DEBUG | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Challenge has been completed. Remember to remove the validation resource.
2022-12-24T12:23:46,242 | DEBUG | AcmeQuartzScheduler_Worker-1 | AcmeJsonResource                 | 227 - acme4j-client - 2.15.0 | update Account
2022-12-24T12:23:46,255 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 | POST-as-GET https://localhost:14000/my-account/274cdd118e0715c1
2022-12-24T12:23:46,256 | DEBUG | AcmeQuartzScheduler_Worker-1 | JoseUtils                        | 227 - acme4j-client - 2.15.0 |   JWS Header: {"url":"https://localhost:14000/my-account/274cdd118e0715c1","kid":"https://localhost:14000/my-account/274cdd118e0715c1","nonce":"v2DjaQ6ZXBcSrd3uJWweUw","alg":"RS256"}
2022-12-24T12:23:46,268 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER null: HTTP/1.1 200 OK
2022-12-24T12:23:46,269 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Cache-Control: public, max-age=0, no-cache
2022-12-24T12:23:46,269 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Replay-Nonce: _L_cU2a8R_xJ_fWRPInYZA
2022-12-24T12:23:46,269 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Length: 569
2022-12-24T12:23:46,270 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Date: Sat, 24 Dec 2022 11:23:46 GMT
2022-12-24T12:23:46,270 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Link: <https://localhost:14000/dir>;rel="index"
2022-12-24T12:23:46,270 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | HEADER Content-Type: application/json; charset=utf-8
2022-12-24T12:23:46,270 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Replay Nonce: _L_cU2a8R_xJ_fWRPInYZA
2022-12-24T12:23:46,271 | DEBUG | AcmeQuartzScheduler_Worker-1 | DefaultConnection                | 227 - acme4j-client - 2.15.0 | Result JSON: {"status":"valid","contact":["mailto:m.betzel@gaston-schul.com"],"orders":"https://localhost:14000/list-orderz/274cdd118e0715c1","key":{"kty":"RSA","n":"i8qgX1Dy4Dx3lfxM9NyesHxPAKSCo-U6_LyNF5UoC3urWkf60c59nE59r5PqNltI0CHrtq3zPJtAZQDA7QYoB10muxl4tKqvJpeO5Q6bDiYAS_4eWgFZIqU_Ani9GsEq_81_VeBbQAfvHR5BMu9F6bpstEpMiVRCA3-tUpTc09Y9Zl9SNN2iVFE7WYNVnT-5jXgrSRxEE_rzLDKeQZqH879vXz7y9Mi10BNqHY4547xnYD61GSRdYp1SzUGSTEWhK8MmGmv-nXt9WudY_6L873l_egBB_xRkSEurnsq0DqyjpKxxnEsSoUgUypPLiGe7wTkZkXMZ1IJcxO
2022-12-24T12:23:46,271 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMERenewJob                     | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | ACME account has been created VALID
2022-12-24T12:23:46,271 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMEActionJobListener            | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | Job ACMERenewJob in group acme.action.job.group executed in 18000 ms
2022-12-24T12:23:46,272 | INFO  | AcmeQuartzScheduler_Worker-1 | ACMEActionJobListener            | 230 - eu.abeel.platform.security.acme.api - 1.0.0 | VALID
Maurice-Betzel commented 1 year ago

I tried to find documentation about how to write Jetty Connections and Factories but to no avail. Do you have some pointers maybe?

Maurice-Betzel commented 1 year ago

And what is the best way to monitor the reload of the key-store, some life cycle event, create my own key-store scanner, or is there something more specific?

sbordet commented 1 year ago

I tried to find documentation about how to write Jetty Connections and Factories but to no avail. Do you have some pointers maybe?

https://www.eclipse.org/jetty/documentation/jetty-11/programming-guide/index.html#pg-arch-io-endpoint-connection

sbordet commented 1 year ago

And what is the best way to monitor the reload of the key-store, some life cycle event, create my own key-store scanner, or is there something more specific?

What do you exactly mean by "monitor the reload of the key-store"?

sbordet commented 1 year ago

BTW did you have to wrap the KeyManager to provide the right alias for the acme-tls/1 protocol?

Maurice-Betzel commented 1 year ago

Thanks for formatting my log entries and the documentation. I did not need to wrap the javax.net.ssl.KeyManager jet, using openjdk version 1.8.0_322, still having to test against Lets Encrypt staging from a production domain.

I have the ACME renew job started from a Quartz cron or a Karaf command thread, that spawns a key-store update thread and those get synchronized by a cyclic barrier before I do a thread sleep to wait for Jetty to pickup the modified key-store and progressing the ACME renew process. I see that the KeyStoreScanner implements Scanner.DiscreteListener which has a fileChanged for informing that a file has been changed, so I guess i have to create my own listener bean being created by the Jetty config and controlled by Jetty, calling an OSGi interface that also joins this cyclic barrier to start further progression of the ACME renew cycle.

Maurice-Betzel commented 1 year ago

Just tested in production against the Let’s Encrypt main URL and everything is working as expected. So the KeyManager from this Java version behaves. Could this be related to the ALPN support also being present? Key-store reload is handled by my own KeyStoreScanner that fetches the bundlecontext after the SslFactory is updated and triggers a service on the OSGi service registry releasing the cyclic barrier waiting in its turn to trigger the challenge on the ACME provider.

sbordet commented 1 year ago

@Maurice-Betzel I have doubts that it will work without wrapping the KeyManager.

In the logs above, you are using a different hostname/SNI (localhost) to differentiate among the certificates, but I am guessing in production the hostname/SNI will be the same for all certificates.

Since you cannot differentiate by hostname/SNI, you have to differentiate by ALPN protocol, and this is why I think you need the KeyManager wrapper.

I think so far you have somehow been lucky at picking the right certificates, but I'm afraid it may be different if the KeyStore iterates over the certificates in a different order -- this may be due to how many certificates it contains, or the order they have been inserted in the KeyStore, etc.

Maurice-Betzel commented 1 year ago

@sbordet I did debug this part and it chooses the certificate alias by SNI without probs with the challenge and a valid key-pair in the store on a renew. I guess you are pointing to https://bugs.openjdk.java.net/browse/JDK-8246262?

2022-12-24T12:23:43,186 | DEBUG | qtp799632226-131 | SniX509ExtendedKeyManager        | 100 - org.eclipse.jetty.util - 9.4.43.v20210629 | Matched SNI localhost with alias acme_challenge_key, certificate X509@6738f9a8(acme_challenge_key,h=[localhost, acme.invalid],a=[],w=[]) from aliases [acme_challenge_key, digital.gaston-schul.com (r3)]
sbordet commented 1 year ago

@Maurice-Betzel the RFC says:

Once this certificate has been created, it MUST be provisioned such that it is returned during a TLS handshake where the "acme-tls/1" application-layer protocol has been negotiated and a Server Name Indication (SNI) extension [RFC6066] has been provided containing the domain name being validated.

So I understand that the "special" ACME certificate must not have a CN/SAN of localhost or acme.invalid like yours has, but it must have the actual domain name, i.e. digital.gaston-schul.com. And the incoming request must also have an SNI of digital.gaston-schul.com.

In this case, you won't be able to select the right certificate because both the original one and the "special" ACME one have the same CN/SAN, so cannot be picked by SNI alone. Hence you need the KeyManager wrapper to select the certificate using the ALPN protocol.

I'm surprised the ACME client makes a request with SNI localhost, seems very wrong to me.

I still don't understand how exactly you have setup your system. Do you have a diagram of the parties involved? What ACME client do you use?

Maurice-Betzel commented 1 year ago

I use acme4j, latest version, and it uses acme.invalid internally which resolves against Lets Encrypt and the Pebble test server. I just dropped in some other key-pairs and certificates in the key-store, and the renew just works after a revoke. My Authorization identifier dns=digital.gaston-schul.com being the Identifier used in the acme4j method under: https://shredzone.org/maven/acme4j/challenge/tls-alpn-01.html

TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.class); Identifier identifier = auth.getIdentifier();

byte[] acmeValidation = challenge.getAcmeValidation();

KeyPair certKeyPair = KeyPairUtils.createKeyPair(2048);

X509Certificate cert = CertificateUtils.createTlsAlpn01Certificate(certKeyPair, identifier, acmeValidation);

sbordet commented 1 year ago

But you're not using the Pebble server in production, right?

I imagine your ACME server is also your TLS server?

I understand that the CA server issues the challenge to verify that you own digital.gaston-schul.com, so the challenge will arrive with that SNI and the acme-tls/1 protocol.

I don't understand how you get an SNI of localhost to renew your digital.gaston-schul.com domain.

Maurice-Betzel commented 1 year ago

I do not use Pebble in production, definitely not, I shoot against Let’s Encrypt using the acme4j client with the acme://letsencrypt.org URI. The SNI in production = digital.gaston-schul.com = acme4j identifier.

Maurice-Betzel commented 1 year ago

Now I get what you mean with localhost and acme.invalid, from my log part. I only wanted to point out that I did debug throughout this Jetty class of SniX509ExtendedKeyManager, several times while developing and never had an exception.

sbordet commented 1 year ago

All right, if it works for you, great. I think a more generic solution would require wrapping of the KeyManager, but perhaps for simpler cases this is not required. Thanks for your feedback.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

cowwoc commented 1 month ago

@sbordet @Maurice-Betzel I'm about to head down the same road. I'm trying to migrate from a dns-01-based challenge to tls-alpn-01.

I see ACMETLS1ServerConnectionFactory above but what am I supposed to do with it? Do I pass it into the existing HTTP/2 ServerConnector, alongside the other connection factories?

The other missing piece is how to alter the certificate returned by this connection factory independently of that used for other factories? As far as I can tell, the certificate is configured using SslContextFactory.Server and it's shared by all connection factories passed into the ServerConnector.

My understanding of tls-alpn-01 is that we want to return the special-crafted certificate only to acme clients, not to normal users. How do we go about doing that?

@Maurice-Betzel if you ended up using this in production, I would appreciate any code snippets you could share :) Thank you in advance.

Ideally, I want all endpoints (except for the ACME connection handler) to respond with HTTP 503 ("Service Unavailable") until a proper certificate is installed. Then, once the ACME challenge is complete, I'd like to enable all the endpoints. I assume that Jetty supports dynamic removal/additional of connectors and Handlers without shutting down the server? Do I need to do anything special to inform the server that the configuration has changed?