💾 Archived View for galanonim.smol.pub › alpn captured on 2024-12-17 at 11:10:53. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

$


`$$$$$$


`$$$
$$  $$$$$$  $$$
$$. `


 \' \


gemini - kennedy.gemi.dev




  $$$$
$$$. !\  i  i .$$$$
$$$   `--`--.$$$$$
$$$L        `$$$^^$
$$$$.   .'   ""~   $$
$$$$.  ;      .e$$$
$$$$$   `.$$$$$$
$$$$    .$$$$$$
$$$$     $$$$$$$

TLS-ALPN-01

Automated Certificate Management Environment Transport Layer Security Application‑Layer Protocol Negotiation Challenge Extension 🤓🤓🤓

Have you even tried to host your own website on your **own** server *(not some cloud VPS shit)*?

If so, you might have been stopped by *port forwarding™️ ✨✨✨*.

Everything is nice and easy **until** you have to add the whole TLS thingy.

To add TLS encryption to your website, you have to generate a public and private key. The private key **must** be signed by a certificate signing authority to avoid MITM (Man-In-The-Middle) attacks by transferring trust from the server that says *bro, im totally w3.org, trust me* to the certificate signing authority, which actually tests (**challenges**) the server to prove that it owns w3.org.

There is nothing difficult in forwarding some ports, **but** often your ISP will block port 80, which is needed for the

HTTP-01 challenge.

So... maybe let's try a different challenge. How about

DNS-01 challenge?

This, on the other hand, requires that you can set CNAME records in your domain, which again might be blocked (or at least it was in my case).

When I was testing some Go(lang) web frameworks, I saw that they often listed *autotls* on their features list.

I've decided to check out what it is and **magically ✨✨✨** it generated a signed private key for me! 😲 At this point, I was amazed and wanted to find out **HOW?!**.

If you don't know exactly what you want to ask about, there isn't a better place than *StackOverflow™️*, so I've asked

this question.

I got the response that this magic spell can be used by saying

*Automated Certificate Management Environment Transport Layer Security Application‑Layer Protocol Negotiation Challenge Extension*.

After **a lot** of ~~googling~~ *searching-information-on-the-internet* I learned that TLS-ALPN-01 does this magic by not requiring port 80 to do the challenge, the only thing that you need is open port 443 (HTTPS port).

I could not use this type of challenge before because it is not implemented in the *certbot* yet. Hopefully, I found [this](https://caddyserver.com/) web server that had it implemented, and the only thing I needed to do to have a static HTTPS website is `sudo caddy file-server --root /mnt/HDD/git/website/public --domain lubiak.k.vu`... **awesome ✨✨✨**.