TLS-ALPN01 challenge support

[kariustobias]

Does posh-acme support the TLS-ALPN01 challenge? I read in the documentation about that the publishing of the challenge should be supported, but is it implemented yet? If not, is there any plans on implementing it in the future?

[rmbolger]

Unfortunately, tls-alpn-01 is not yet supported in any meaningful way. Technically, the challenge data is available in the authorization objects for a given order (Get-PAAuthorization). If you can find a way to "publish" the challenge to an ALPN capable web server, you could then use Send-ChallengeAck to have the ACME CA validate it and then finalize and complete the order. But there's nothing in the module to help with that "publish" step.

The problem is that the protocol lives in the TLS implementation of the web server. And historically, not a lot of web servers are even capable of using ALPN, let alone programmatically. Realistically any sort of alpn plugin would have to be web server specific. A self-hosted plugin using .NET's Kestrel web server might be possible. But I don't really have the expertise to figure it out unless someone else had already done it on another .NET open source project. And it would probably never work with PowerShell 5.1 where Kestrel doesn't exist.

[webprofusion-chrisc]

I've seen some clients do ALPN themselves but you need exclusive control of port 443 (meaning you can't be using it for other https stuff), because you are directly controlling the TLS conversation at a fairly low level, at least during validation.

If you can't use HTTP domain validation consider DNS. If you can't do DNS I'm happy to provide suggestions on how you probably can.