On 4/22/23, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > How does Apache set up a > certificate if it's only reachable via port 443, which requires a > certificate? It uses the ALPN feature of SSL/TLS that is ordinarily used to allow clients to select HTTP 2 over the default HTTP 1 to instead allow the Let's Encrypt service to select their special verification protocol so it doesn't interrupt normal traffic. Then your server will send a fake certificate that includes the verification token from Let's Encrypt since you won't have a real certificate yet. They used to use the SNI feature that allows clients to select one of multiple hostnames under one IP address using an obviously invalid hostname to trigger the fake certificate, but they later discovered far too many web hosters allowed people to configure their servers for any old domain name, even their invalid scheme, and thus issue certificates for any other customers domains on the same IP address, so they had to make it a little more complicated. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
