Acme.sh supports tls-alpn mode and buypass.com CA now

There are 2 improvements in acme.sh:

  1. The tls-alpn-01 mode is upported now.
acme.sh --issue -d example.com  --alpn

It will listen on localhost 443 port and validate the domain in tls-alpn-01 method.
2. Support another ACME CA buypass.com
The www.buypass.com is another public trusted CA supporting ACME protocol.

acme.sh --server https://api.buypass.com/acme/directory  \
         --issue -d example.com -d www.example.com .....

See more details: https://github.com/Neilpang/acme.sh/wiki/BuyPass.com-CA

Please report bugs to our github if you find any problems.

Thanks.

8 Likes

This is mind blowing:
Unlimited number of domains in one certificate

1 Like

This is awesome work, planning to add other Acme providers to certify as well. I believe various operating system limits affect usable SAN size. On windows I think you have 4KB to play with: https://social.technet.microsoft.com/wiki/contents/articles/3306.pki-faq-what-is-the-maximum-number-of-names-that-can-be-included-in-the-san-extension.aspx

2 Likes

Nice work, Neil! I’ll definitely mention this to people who are having trouble with the TLS-SNI-01 deprecation and can only use port 443.

2 Likes

It seems that the buypass free cert only support one domain (and it’s “www” prefix version).

for example:

exmaple.com
www.example.com

or:

sub.example.com
www.sub.example.com
1 Like

Awesome. I've started a wiki page up to document using TLS-ALPN + acme.sh without taking the web server offline. Currently only nginx works, but I'm working on submitting a patch for haproxy to support it as well.

4 Likes

[This is NOT a one-size-fits-all recommendation]
But, for those that have the ability to redirect inbound port 443 to any other port, the solution may even be simpler; in that, you could setup the ALPN listener on any unused port and then just update the router/firewall to connect external:443 to internal:ALPN port.
This may be especially useful/expeditious for those with very many virtual hosts:

  • All vhosts would remain on 443.
  • The router/firewall would direct all inbound 443 to the ALPN listener.
  • The ALPN listener would proxy to all 443 vhosts and handled ALPN auth requests (as needed).
2 Likes

That's pretty clever, went over my head the first time I read it but yes, it'd work great!

Anyway, patch merged, so now haproxy>=1.9.1+acme.sh is a usable TLS-ALPN combination.

5 Likes

That's very cool! Thanks @_az!!!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.