Implement TLS-ALPN-01 and integration test for it (letsencrypt#3654)

mdebski · cpu · commit bb9ddb124e56 · 2018-06-06T13:04:09.000-04:00
This implements newly proposed TLS-ALPN-01 validation method, as described in https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01 This challenge type is disabled except in the config-next tree.
diff --git a/core/challenges.go b/core/challenges.go
@@ -22,3 +22,8 @@ func TLSSNIChallenge01() Challenge {
 func DNSChallenge01() Challenge {
 	return newChallenge(ChallengeTypeDNS01)
 }
+
+// TLSALPNChallenge01 constructs a random tls-alpn-01 challenge
+func TLSALPNChallenge01() Challenge {
+	return newChallenge(ChallengeTypeTLSALPN01)
+}
diff --git a/core/core_test.go b/core/core_test.go
@@ -33,9 +33,13 @@ func TestChallenges(t *testing.T) {
 	dns01 := DNSChallenge01()
 	test.AssertNotError(t, dns01.CheckConsistencyForClientOffer(), "CheckConsistencyForClientOffer returned an error")
 
+	tlsalpn01 := TLSALPNChallenge01()
+	test.AssertNotError(t, tlsalpn01.CheckConsistencyForClientOffer(), "CheckConsistencyForClientOffer returned an error")
+
 	test.Assert(t, ValidChallenge(ChallengeTypeHTTP01), "Refused valid challenge")
 	test.Assert(t, ValidChallenge(ChallengeTypeTLSSNI01), "Refused valid challenge")
 	test.Assert(t, ValidChallenge(ChallengeTypeDNS01), "Refused valid challenge")
+	test.Assert(t, ValidChallenge(ChallengeTypeTLSALPN01), "Refused valid challenge")
 	test.Assert(t, !ValidChallenge("nonsense-71"), "Accepted invalid challenge")
 }
 
diff --git a/core/objects.go b/core/objects.go
@@ -68,21 +68,20 @@ const (
 
 // These types are the available challenges
 const (
-	ChallengeTypeHTTP01   = "http-01"
-	ChallengeTypeTLSSNI01 = "tls-sni-01"
-	ChallengeTypeDNS01    = "dns-01"
+	ChallengeTypeHTTP01    = "http-01"
+	ChallengeTypeTLSSNI01  = "tls-sni-01"
+	ChallengeTypeDNS01     = "dns-01"
+	ChallengeTypeTLSALPN01 = "tls-alpn-01"
 )
 
 // ValidChallenge tests whether the provided string names a known challenge
 func ValidChallenge(name string) bool {
 	switch name {
-	case ChallengeTypeHTTP01:
-		fallthrough
-	case ChallengeTypeTLSSNI01:
-		fallthrough
-	case ChallengeTypeDNS01:
+	case ChallengeTypeHTTP01,
+		ChallengeTypeTLSSNI01,
+		ChallengeTypeDNS01,
+		ChallengeTypeTLSALPN01:
 		return true
-
 	default:
 		return false
 	}
@@ -233,7 +232,7 @@ type Challenge struct {
 	// For the V2 API the "URI" field is deprecated in favour of URL.
 	URL string `json:"url,omitempty"`
 
-	// Used by http-01, tls-sni-01, and dns-01 challenges
+	// Used by http-01, tls-sni-01, tls-alpn-01 and dns-01 challenges
 	Token string `json:"token,omitempty"`
 
 	// The expected KeyAuthorization for validation of the challenge. Populated by
@@ -279,7 +278,7 @@ func (ch Challenge) RecordsSane() bool {
 				return false
 			}
 		}
-	case ChallengeTypeTLSSNI01:
+	case ChallengeTypeTLSSNI01, ChallengeTypeTLSALPN01:
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
diff --git a/core/objects_test.go b/core/objects_test.go
@@ -57,7 +57,7 @@ func TestChallengeSanityCheck(t *testing.T) {
   }`), &accountKey)
 	test.AssertNotError(t, err, "Error unmarshaling JWK")
 
-	types := []string{ChallengeTypeHTTP01, ChallengeTypeTLSSNI01, ChallengeTypeDNS01}
+	types := []string{ChallengeTypeHTTP01, ChallengeTypeTLSSNI01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01}
 	for _, challengeType := range types {
 		chall := Challenge{
 			Type:   challengeType,
diff --git a/policy/pa.go b/policy/pa.go
@@ -445,6 +445,10 @@ func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, regID int
 			challenges = append(challenges, core.TLSSNIChallenge01())
 		}
 
+		if pa.ChallengeTypeEnabled(core.ChallengeTypeTLSALPN01, regID) {
+			challenges = append(challenges, core.TLSALPNChallenge01())
+		}
+
 		if pa.ChallengeTypeEnabled(core.ChallengeTypeDNS01, regID) {
 			challenges = append(challenges, core.DNSChallenge01())
 		}
diff --git a/test/PKI.md b/test/PKI.md
@@ -42,3 +42,7 @@ Intermediate 1 (happy hacker fake CA):
 
 Intermediate 2 (h2ppy h2cker fake CA):
    test-ca2.key test-ca2.pem
+
+Certificate test-example.pem, together with test-example.key are self-signed
+certs used in tests. They were generated using:
+   openssl req -x509 -newkey rsa:4096 -keyout test-example.key -out test-example.pem -days 36500 -nodes  -subj "/CN=www.example.com"
diff --git a/test/chisel.py b/test/chisel.py
@@ -10,15 +10,19 @@
 import json
 import logging
 import os
+import socket
 import sys
 import threading
 import time
 import urllib2
 
+from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
 
 import OpenSSL
+from OpenSSL import SSL
 import josepy
 
 from acme import challenges
@@ -144,6 +148,12 @@ def http_01_answer(client, chall_body):
           chall=chall_body.chall, response=response,
           validation=validation)
 
+def tls_alpn_01_cert(client, chall_body, domain):
+    """Return x509 certificate for tls-alpn-01 challenge"""
+    response = chall_body.response(client.key)
+    cert, key = response.gen_cert(domain)
+    return key, cert
+
 def do_dns_challenges(client, authzs):
     cleanup_hosts = []
     for a in authzs:
@@ -190,6 +200,53 @@ def cleanup():
         thread.join()
     return cleanup
 
+def do_tlsalpn_challenges(client, authzs):
+    port = 5001
+    example_key, example_cert = load_example_cert()
+    server_certs = {'localhost': (example_key, example_cert)}
+    challs = {a.body.identifier.value: get_chall(a, challenges.TLSALPN01)
+        for a in authzs}
+    chall_certs = {domain: tls_alpn_01_cert(client, c, domain)
+        for domain, c in challs.items()}
+    # TODO: this won't be needed once acme standalone tls-alpn server serves
+    # certs correctly, not only challenge certs.
+    chall_certs['localhost'] = (example_key, example_cert)
+    server = standalone.TLSALPN01Server(("", port), server_certs, chall_certs)
+    thread = threading.Thread(target=server.serve_forever)
+    thread.start()
+
+    # Loop until the TLSALPN01Server is ready.
+    while True:
+        try:
+            s = socket.socket()
+            s.connect(("localhost", port))
+            client_ssl = SSL.Connection(SSL.Context(SSL.TLSv1_METHOD), s)
+            client_ssl.set_connect_state()
+            client_ssl.set_tlsext_host_name("localhost")
+            client_ssl.set_alpn_protos([b'acme-tls/1'])
+            client_ssl.do_handshake()
+            break
+        except (socket.error, SSL.Error):
+            time.sleep(0.1)
+        finally:
+            s.close()
+
+    for chall_body in challs.values():
+        client.answer_challenge(chall_body, chall_body.response(client.key))
+
+    def cleanup():
+        server.shutdown()
+        server.server_close()
+        thread.join()
+    return cleanup
+
+def load_example_cert():
+    keypem = open('test/test-example.key', 'rb').read()
+    key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, keypem)
+    crtpem = open('test/test-example.pem', 'rb').read()
+    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, crtpem)
+    return (key, cert)
+
 def auth_and_issue(domains, chall_type="dns-01", email=None, cert_output=None, client=None):
     """Make authzs for each of the given domains, set up a server to answer the
        challenges in those authzs, tell the ACME server to validate the challenges,
@@ -202,6 +259,8 @@ def auth_and_issue(domains, chall_type="dns-01", email=None, cert_output=None, c
         cleanup = do_http_challenges(client, authzs)
     elif chall_type == "dns-01":
         cleanup = do_dns_challenges(client, authzs)
+    elif chall_type == "tls-alpn-01":
+        cleanup = do_tlsalpn_challenges(client, authzs)
     else:
         raise Exception("invalid challenge type %s" % chall_type)
 
diff --git a/test/config-next/ca.json b/test/config-next/ca.json
@@ -142,7 +142,8 @@
     "challenges": {
       "http-01": true,
       "tls-sni-01": true,
-      "dns-01": true
+      "dns-01": true,
+      "tls-alpn-01": true
     }
   },
 
diff --git a/test/config-next/cert-checker.json b/test/config-next/cert-checker.json
@@ -9,7 +9,8 @@
     "challenges": {
       "http-01": true,
       "tls-sni-01": true,
-      "dns-01": true
+      "dns-01": true,
+      "tls-alpn-01": true
     }
   },
 
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -99,7 +99,8 @@
     "challenges": {
       "http-01": true,
       "tls-sni-01": true,
-      "dns-01": true
+      "dns-01": true,
+      "tls-alpn-01": true
     },
     "challengesWhitelistFile": "test/challenges-whitelist.json"
   },
diff --git a/test/integration-test.py b/test/integration-test.py
@@ -164,15 +164,19 @@ def wait_for_ocsp_good(cert_file, issuer_file, url):
 def wait_for_ocsp_revoked(cert_file, issuer_file, url):
     fetch_until(cert_file, issuer_file, url, ": good", ": revoked")
 
-def test_multidomain():
-    auth_and_issue([random_domain(), random_domain()])
-
 def test_dns_challenge():
     auth_and_issue([random_domain(), random_domain()], chall_type="dns-01")
 
 def test_http_challenge():
     auth_and_issue([random_domain(), random_domain()], chall_type="http-01")
 
+def test_tls_alpn_challenge():
+    # TODO(@mdebski): Once the tls-alpn-01 challenge is enabled in pa.challenges
+    # by default, delete this early return.
+    if not default_config_dir.startswith("test/config-next"):
+        return
+    auth_and_issue([random_domain(), random_domain()], chall_type="tls-alpn-01")
+
 def test_issuer():
     """
     Issue a certificate, fetch its chain, and verify the chain and
diff --git a/test/test-example.key b/test/test-example.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCe8pK/MXIjOmb2
+WJ1VkjxhT/q0Ms6X9juUZNvWotnlJfWduNTtY+xQeMs4ZK/+GVrH2BLIYNz+J8Ph
+3HqYoZ0Vrjs8VtKZY1oy//Rqipfp35ZT9PM4RZpCM4AueEv6JK0NNWCG8qOa3zap
+7PAjm1wWOCkZ5fphZYTo1gxIsQUc8kBlEHGSDJXG1raprAuZ2znOXbEhruK2djXW
+c1avE6SdP7NgsI3uygfQQVyjaJXcy+1DvRS06zxtBE8jTLH7L9knefaorGoWHG1g
+Q88jmkPMBultDII5R2MDxtJgyiOWriRqZ/Tr4X1Fxvwo15w7wVxoZdgswpHiX5yu
+RtvPdv6mmWY0I3I4exlyHhDZLuRic9DMT/IZFLPqvptIyWy5HChadHFmyc4tn+0t
+Sfk87v4bDrDuqcu9La3CPNP7lP+U+b5u2AmWjbvc+2tclzJf2rlhVT9DsYKgK2U3
+s/0Ar0Eyp7MZpUTSPNiddJ62PngLubwMYIQ6YHTM5JSyXoHP+isGOH8bPmP+HMHn
+Q5XT0MX+qsbaxKclk+2jnS66fJOhrbcqwPAn/hJe9UFczc5evKMr65oxptwCc7qS
+Z89wHaRiItcDqJW5zONG9lNc1zcNkf1Qnq3ePon2YECjJ2/+B98W9EOq/8RaCb7d
+OBWeiXpdCGODGMT7ZljDZlnjwf8zQwIDAQABAoICACfBdILt0yaMjQRA1dl5YjDU
+2FgJ/TJ1HCHZuELPKMDv5ac1e8yEma7nB61rQbnEjbg+izQjRiMrvwrXIrLaeXfa
+xGYrMTG8b+shqficAbM1gVwugEcq4ZJ9XypAXICMe9w55ZLbTaCHBB0sbkP5r+a+
+1UjtBNsnkT7LivcDj8vVq9Wbb0ygaTX6rmVx6tToyGSdeph6LaqFlqG055GS0DGk
+pTEh994qGho0vv8AQbugJhAzUuKNk+eQlFq37Cxvo1kEYHV/6mjtY04Yp8633w1B
+DVGBN3EsMc/YAvbCmHQvylvy9IerNrIlOxzcEO/BRWO3VYKch/CfCYltn70cfkS4
+Rqnw2vAekc2dQ8CVIXJqD2Tc0QODGpqpDc9V7svVx2TrQ0JOI9C2mPL2S1952E+U
+9qj+JO0iJoBzPz3uZGssKuQidbQn1Lz0pPBWLb2akfqKaXyrmjyKSqHYioFz4RTW
+4BoZGcejDOScf2kRDwMNVsZ75pc8hxQoW89nIg6s9Ix8S84qZf/Ey3w+jcosgtiw
+tmacE+zzJDsAesN6BpL5rV0dJFLNqkmLVubjhsvHWy7C8OpqVbuv6jSuxNUFOq7S
+NzT5RadBsFiWyNE6X3pS4JJY6VqXH20d+LE/Kd1ea1OuO/WzIU5CTfa6mJ6/0AUW
+BhKaBoRkMDNToi1ogbcBAoIBAQDTCC8HATATmUeMxjG2h9WuPXUoFkMofcEql3/e
+R6N3PU5GWDIWTXMNOtmuuPV4TF5CvdCnexP6uZNH+s/7RuTLHN4rdEKXIKlanhTE
+p/MyeyiskIkHFk/RxngwEhtgjTtU6tvfutZHR3ZXOtzE6npandv75+YCUrQHBGgK
+g6ohObVwcDqZJR4CQlFv5zj+FNMYA7E5EwHgGjXinZ82DWtjK1176poi+rI05OAD
+1WL7+w1AYXEbF6D2BTqjorlzDvRWzN/FuPsjFtXOhvt2JFob1fqS/a2GCM/LxPqn
+q5ULxko9z6zyljFk9nF+nwg62nMB/ifEpB53lWb1A1EP9k7xAoIBAQDA0S3ZRenl
+SMDCPxGHkofYKcio1DWPyUAikBXSj6FBKplx0AeTjD24pu7K4PxLOAZNqe9U7qhW
+wSruWzahzkc5Z/aqbj5jKg6f5dDU8dCagZvKulzhycQZCiGK+JueX972ABLmFmd0
+zyC4oFunZ4WvLN9EDBnY+Xszhayb71B3kJcb4zxA+r/zV3avawBcy9NvizNAc2Ov
+jz2tu6YiApK9/AQUJeoHnb8njc22JLkQYk7ssdv7Vdc4Zm89V4Io5tNrvhCjWize
+p2yr1kAYePPkrfBSeImrerZs6V3pqroQ02z8LLc5rJNJAwBEp8rGVd+vg5UMhVa0
+uD/FlgaYz41zAoIBAQCkICdDEV9svrdw+uvLBFXhz5aAeN/+a9+B2pXuMFUn9Zwd
+BZbe1Zl3Xp/STbNLvklJKwtOVmCxjQbI4n5C9V4XwfngXek0VIiiG3QXhm+UgUie
+/UI1KtslUXBEIrD8JJtSbd5XYJ4qjZ+yM+tjkuFZ/JAMmMzAXcX59ylblA8LDDDa
+o85PMRjntOBVYcVnhpauhKCevPOmcXwbJW+fwEwWsrFgIJOEROm4TZEUKi9zvksO
+GTq4UWY0MNjsTzBgFe9eWrRmuHlJTwc2OrDzr04NfBwHmhgMuGm0FxzCrqWapLs0
+24GsobcEyM54JgNmkmMD18DiJKo1YxLR16SB/5RhAoIBAQCal9w7xOtIEzHBTBHA
+8gIKlU211xbuprvOOlnUzaXLet02PEWmzh06bFUuwn5lzJB5OlOSdBryG8RRAT7n
+Ml02sJ07flJ07WZ2Wys5YHwRNPN08kDAIyYfsVi9dKBItbMs51g/tBzUsbEZdjCm
+IsEzdzW2+EDNDxHxeC6xg4mvo3UUPfe0XZcDAtA8yvyqah2m5CN+fEWjn6QjJD2K
+LSf8PRAEG3XtD1QQ4Yfajsz2TuvaqKuocuWw6agstXm9U3yVePkcD5PEHNZrW8de
+F7PsWG1DojM3Epcq8VyDmYe/L9TExxFMo4ofUtGnOiTBKl7C+SvKsymWkddHkwbN
+BDPzAoIBAGizq8iKh3E1Hpkz4bXBfTHoYDSqIYH/yyl4ZOL9q/VRKptxmQiOnJbv
+3zsHjm/NyKpRjuFh971+2Y7/QAUL3Z4IHDXIyfcUJt3SDK4ZSMf6r68KjiBGh7JM
+w00bEhcNg47TVVFBrIbeDNplD/A1gaY9s9qQ8IF2G2CP4X6WfhXNMViL1z7uG6jx
+SvWUNpqrykqWfFHqC+l06r00A8AAW70HGIsA0lpwbQbWm1qHx1/A26ppfce83CJI
+mKh4XR7eHZ9vparNclHZ3cmB5QLUJcedeTLKx8xQstBcofrvFJzAHAXwopprbAKg
+BwglSdDubVd9v6VVrjmSg6lqnbmBXY0=
+-----END PRIVATE KEY-----
diff --git a/test/test-example.pem b/test/test-example.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFDDCCAvSgAwIBAgIJAMlbGcMCsKOdMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xODA1MTQxMzIzMzFaGA8yMTE4MDQyMDEz
+MjMzMVowGjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAnvKSvzFyIzpm9lidVZI8YU/6tDLOl/Y7lGTb1qLZ
+5SX1nbjU7WPsUHjLOGSv/hlax9gSyGDc/ifD4dx6mKGdFa47PFbSmWNaMv/0aoqX
+6d+WU/TzOEWaQjOALnhL+iStDTVghvKjmt82qezwI5tcFjgpGeX6YWWE6NYMSLEF
+HPJAZRBxkgyVxta2qawLmds5zl2xIa7itnY11nNWrxOknT+zYLCN7soH0EFco2iV
+3MvtQ70UtOs8bQRPI0yx+y/ZJ3n2qKxqFhxtYEPPI5pDzAbpbQyCOUdjA8bSYMoj
+lq4kamf06+F9Rcb8KNecO8FcaGXYLMKR4l+crkbbz3b+pplmNCNyOHsZch4Q2S7k
+YnPQzE/yGRSz6r6bSMlsuRwoWnRxZsnOLZ/tLUn5PO7+Gw6w7qnLvS2twjzT+5T/
+lPm+btgJlo273PtrXJcyX9q5YVU/Q7GCoCtlN7P9AK9BMqezGaVE0jzYnXSetj54
+C7m8DGCEOmB0zOSUsl6Bz/orBjh/Gz5j/hzB50OV09DF/qrG2sSnJZPto50uunyT
+oa23KsDwJ/4SXvVBXM3OXryjK+uaMabcAnO6kmfPcB2kYiLXA6iVuczjRvZTXNc3
+DZH9UJ6t3j6J9mBAoydv/gffFvRDqv/EWgm+3TgVnol6XQhjgxjE+2ZYw2ZZ48H/
+M0MCAwEAAaNTMFEwHQYDVR0OBBYEFFO1zLflE61aqAvRiN4PQu4FaKzdMB8GA1Ud
+IwQYMBaAFFO1zLflE61aqAvRiN4PQu4FaKzdMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggIBAAsP13Ejo09QdJbrBa0qd3vmMXQJ84/LaR5vI7cWZ0W1
+fG7UJvivMpB3vhA2buTI2EGTqC2/uc8m0GD/UhW2zQvmPSt0BvbUjjWlQNd0hamw
+IafJfbRT5eiYYgsHbYcU9wfjDs7fad5/29qJ5FdI96eefuJIjtrdq8sUXDg3q929
+cH6t3dxuxUMjRZXBXTTZw7WkMnc1zvd6/1RSYSixkccZUlTrOjox19tPmmkwVFKH
+n7cnB9omZzRpAklYM7Tjx/tYxId3CL3lZzF9/yiVRotUIeTHTCyfY6oOS50Cf/8V
+pxl+xRNs2YguwblJOtS3yxgdiwbRK0vUKkcUJs73qZexIKYAMJU1VxZRSIQuNDAq
+/eL7lN+ZLzL3Q4vKjUaRZAS4qClwv6CFaBxUyK1gSFRU9OHYhW6mRYXpqGIN1GPb
+YAZwVb4pxwCMmIgLXW7BF6ykmx4o6sZsBLdiuQNrzAEkKbr8jgy/uTbKg2MHyzKa
+xcn0N74BiLhzYvnQAdZ7MKZmEI0PXUw/wou8SMSdCPGjXjKlB3zRzqZrgr7FofSc
+zSDC4MurJv3XLOpAIpJjQs2aewFKYMHxynfO1aco3OfPc8fFYempfcJJqtG9RhQQ
+tTetpbWjbW0YyNQUkYoxhG0qWpy8tVMX70SPNSZH5ASBOMxKGBpFmPwVk+em8ssd
+-----END CERTIFICATE-----
diff --git a/va/va.go b/va/va.go
diff --git a/va/va_test.go b/va/va_test.go

Original file line number	Diff line number	Diff line change
`@@ -22,3 +22,8 @@ func TLSSNIChallenge01() Challenge {`
`22`	`22`	`func DNSChallenge01() Challenge {`
`23`	`23`	`return newChallenge(ChallengeTypeDNS01)`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+// TLSALPNChallenge01 constructs a random tls-alpn-01 challenge`
	`27`	`+func TLSALPNChallenge01() Challenge {`
	`28`	`+ return newChallenge(ChallengeTypeTLSALPN01)`
	`29`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -445,6 +445,10 @@ func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, regID int`
`445`	`445`	`challenges = append(challenges, core.TLSSNIChallenge01())`
`446`	`446`	`}`
`447`	`447`
	`448`	`+ if pa.ChallengeTypeEnabled(core.ChallengeTypeTLSALPN01, regID) {`
	`449`	`+ challenges = append(challenges, core.TLSALPNChallenge01())`
	`450`	`+ }`
	`451`	`+`
`448`	`452`	`if pa.ChallengeTypeEnabled(core.ChallengeTypeDNS01, regID) {`
`449`	`453`	`challenges = append(challenges, core.DNSChallenge01())`
`450`	`454`	`}`
Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,8 @@`
`142`	`142`	`"challenges": {`
`143`	`143`	`"http-01": true,`
`144`	`144`	`"tls-sni-01": true,`
`145`		`- "dns-01": true`
	`145`	`+ "dns-01": true,`
	`146`	`+ "tls-alpn-01": true`
`146`	`147`	`}`
`147`	`148`	`},`
`148`	`149`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@`
`9`	`9`	`"challenges": {`
`10`	`10`	`"http-01": true,`
`11`	`11`	`"tls-sni-01": true,`
`12`		`- "dns-01": true`
	`12`	`+ "dns-01": true,`
	`13`	`+ "tls-alpn-01": true`
`13`	`14`	`}`
`14`	`15`	`},`
`15`	`16`