tls-alpn-01 challenge, you prove to the CA that you are able to control the web server of the domain to be authorized, by letting it respond to a request with a specific self-signed cert utilizing the ALPN extension. This challenge is specified in RFC 8737.
You need to create a self-signed certificate with the domain to be validated set as the only Subject Alternative Name. The byte array provided by
challenge.getAcmeValidation() must be set as DER encoded
OCTET STRING extension with the object id
220.127.116.11.18.104.22.168.31. It is required to set this extension as critical.
acme4j does the heavy lifting for you though, and provides a certificate that is ready to use. It is valid for 7 days, which is ample of time to perform the validation.
TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.class);
Identifier identifier = auth.getIdentifier();
KeyPair certKeyPair = KeyPairUtils.createKeyPair(2048);
X509Certificate cert = challenge.createCertificate(certKeyPair, identifier);
certKeyPair to let your web server respond to TLS requests containing an ALPN extension with the value
acme-tls/1 and a SNI extension containing your subject (
When the validation is completed, the
certKeyPair are not used anymore and can be disposed.
The request is sent to port 443 only. If your domain has multiple IP addresses, the CA randomly selects some of them. There is no way to choose a different port or a fixed IP address.
Your server should be able to handle multiple requests to the challenge. The ACME server may check your response multiple times, and from different IPs. Also keep your response available until the
Authorization status has changed to