[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: Certbot error
From:       "T.C. Hollingsworth" <tchollingsworth () gmail ! com>
Date:       2023-04-23 19:51:59
Message-ID: CAJVv0OnWGufYFju2ds2i+wWC5BZeEp66TXRbgDpyw=5_=oe97g () mail ! gmail ! com
[Download RAW message or body]

On 4/22/23, Patrick O'Callaghan <pocallaghan@gmail.com> wrote:
> How does Apache set up a
> certificate if it's only reachable via port 443, which requires a
> certificate?

It uses the ALPN feature of SSL/TLS that is ordinarily used to allow
clients to select HTTP 2 over the default HTTP 1 to instead allow the
Let's Encrypt service to select their special verification protocol so
it doesn't interrupt normal traffic. Then your server will send a fake
certificate that includes the verification token from Let's Encrypt
since you won't have a real certificate yet.

They used to use the SNI feature that allows clients to select one of
multiple hostnames under one IP address using an obviously invalid
hostname to trigger the fake certificate, but they later discovered
far too many web hosters allowed people to configure their servers for
any old domain name, even their invalid scheme, and thus issue
certificates for any other customers domains on the same IP address,
so they had to make it a little more complicated.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]