Request to Enhance Certbot to Support HTTP/2 Protocol

Feature Requests
1

Dear Let's Encrypt Team,

I am part of the Cisco Expressway team, and we use certbot as our ACME client to obtain certificates signed by Let's Encrypt. During our recent feature implementation to support HTTP/2 in all HTTP clients, we observed that certbot does not currently support HTTP/2. This was confirmed through packet captures where the ALPN extension only includes http/1.1.

Given the growing adoption and performance benefits of HTTP/2, we kindly request your consideration to enhance certbot to support the HTTP/2 protocol in its operations.

Please let us know if you need any additional information or logs from our side.

Thank you for your continued support.

Best regards,
Rahul Verma
Cisco Expressway Team

2

There are a few things that puzzle me about your request:

  1. Let's Encrypt does not develop the ACME client called Certbot. It's developed by the EFF. You can find the Github repository at GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
  2. What do you mean with "in all HTTP clients, we observed that certbot does not currently support HTTP/2"? Certbot is an ACME client, not a webserver. HTTP clients would not be connecting to Certbot.
  3. For feature requests with Certbot, please open an issue on the Github repo linked above. Github unfortunately doesn't make it easy to search for "http/2" (it splits it up into "http" and "2", resulting in 1.5k found issues...), so there already might be a feature request asking to add HTTP/2 to the apache and nginx plugins (if that's what your request is actually about perhaps).
2 Likes
3

ACME runs over HTTP, they want their ACME requests to the CA directory to run over HTTP/2 ?

(LE's directory URL https://acme-v02.api.letsencrypt.org/directory supports HTTP/2.)

But like you said, Certbot feature requests don't belong here.

2 Likes
4

Might be :man_shrugging: I'm not getting that directly from the post though. They'd need to clarify.

If it's really about the HTTP client side of Certbot, then Certbot is limited by the capacilities of commonly used Python HTTP libraries. Currently it uses urllib3, which currently does not support HTTP/2 yet.

1 Like
5

@rahulverma as others have mentioned there is a need for some clarification in the question, do you mean:

  • you are using certbot to acquire certificates and it doesn't present a tls-alpn-01 response when operating in that mode over http/2 ?
  • Let's Encrypts own validation clients are not able to negotiate tls-alpn-01 domain validation challenges when presented by a server over http/2 ?
3 Likes
6

@webprofusion I don't think this is about the tls-alpn-01 challenge.

We probably should just wait for clarification from OP.

4 Likes
7

@Osiris ah thanks, yes I see its ALPN as in using that to negotiate upgrade to HTTP/2.

4 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.