ACME: tls-alpn-01 challenge implementation

[bavshin-f5]

tls-alpn-01 challenge is supposed to be processed by a TLS-enabled listener on port 443.

There are two important details to consider:

1. A TCP load-balancer in front of NGINX may send the traffic to a different port. The stream pass directive can play a similar role. Thus, we should not make an assumption about a listener object that receives the connection, and should configure all the SSL listener objects to accept the challenge verification requests.
2. The challenge implementation requires accepting the acme-tls/1 ALPN protocol and sending a certificate with key authorization extension in response. Either requires bypassing the regular NGINX SSL callbacks. In addition, we'd want to avoid handling the challenge on a server with client authentication enabled.

And that's how we arrived to the implementation in this PR: create a new server SSL_CTX, filter the connections in the ClientHello callback and switch to the new context if necessary.

Remaining items:

• BoringSSL support via SSL_CTX_set_select_certificate_cb
• Coordination with SNI: using ClientHello callback. nginx#562
• Normalize identifiers for lookup: lowercase DNS names, parse in-addr.arpa/ip6.arpa as specified in RFC8738 § 6

[github-actions]

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
_{Posted by the CLA Assistant Lite bot.}

[bavshin-f5]

I have hereby read the F5 CLA and agree to its terms

[Copilot]

Pull Request Overview

This PR implements the tls-alpn-01 challenge for ACME certificate validation as defined in RFC8737. The TLS ALPN challenge requires serving a special certificate with key authorization extension on port 443 when the client advertises the acme-tls/1 ALPN protocol.

Key changes implemented:

• Added complete TLS ALPN challenge solver with SSL context switching and certificate generation
• Extended configuration to support challenge type selection (http-01 or tls-alpn-01)
• Added identifier parsing for both DNS names and IP addresses (including reverse DNS lookups)

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/acme/solvers/tls_alpn.rs	Core TLS ALPN challenge implementation with SSL callbacks and certificate generation
src/state.rs	Added TLS ALPN solver state to shared data structure
src/lib.rs	Integrated TLS ALPN solver into main module with configuration merging
src/conf/issuer.rs	Added challenge type field to issuer configuration
src/conf/identifier.rs	Added Display trait implementation for identifiers
src/conf.rs	Added challenge configuration command and SSL context to main config
src/acme.rs	Extended authorization context with private key reference
t/acme_tls_alpn.t	Test suite for TLS ALPN challenge functionality
build.rs	Added nginx version detection for SSL client hello callback support
README.md	Updated documentation to reflect TLS ALPN support
.github/workflows/ci.yaml	Updated nginx reference for CI compatibility

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[bavshin-f5]

Ready for review, but cannot be merged until the nginx PR lands.

[xeioex]

Otherwise looks good.