443 port only, but tls-sni-01 is deprecated


#1

My ISP is blocking port 80, but 443 is available. I am able to verify if I use --preferred-challenges tls-sni-01, but certbot says it is now deprecated. What other options are left (except DNS verification)?


#2

There are no other options currently supported by certbot, but the new tls-alpn-01 challenge, which works over port 443, is supported by some other clients. See the discussion at Which client support tls-alpn challenge?


#3

Thank you very much. Do you have any information how far away is Certbot TLS-ALPN-01 support?


#4

I would say it’s a low priority for Certbot; Certbot is likely to prioritize making the DNS challenge easier over implementing TLS-ALPN-01.


#5

If you have access to any other Internet connected system that can accept port 80 connections, you may be able to CNAME those challenge requests to that other system.

If so, you may have to modify the renewal process to allow you enough time for you to place the http challenge response in the other location.
[Which probably means a “slightly complicated” manual renewal (every 60-90 days)]


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.