I have LE certs set up on several domains and they are set to auto-renew via an HTTP ACME challenge. This recently stopped working though as it appears an overzealous application firewall somewhere in our organization is blocking HTTP GETs including the /.well-known/acme-challenge/ string on port 80…

The challenge using port 443 is called tls-alpn-01. That's the challenge that will try port 443 the first time. The http-01 challenge will always start on port 80 and can only change protocols (and thus ports) using redirects. Changing the http-01 challenge to retry on an entire protocol (and thus …

[image] benmwebb: My proposal: the ACME protocol allows for a http->https redirect of course. Would you consider automatically trying an http->https substitution if the original ACME challenge fails in this way (perhaps only if HSTS is set up)? Just to add some clarity to the above comment by…

And they won't, because tls-alpn-01 is literally another protocol over TLS on port 443. RFC 8737 - Automated Certificate Management Environment (ACME) TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension (443 TCP, eh, http3 wasn't a thing yet)

@9peppe , they could still implement it alongside HTTP within the same software application—I think Caddy can natively do the TLS-ALPN challenge in addition to being a web server.

[image] Giuseppe C.: And they won't Well, Apache does support TLS-ALPN via mod_md . It just takes a while for packages to filter down to all LTS distributions. You can apt install apache2 && a2enmod md ssl on Debian Bullseye (maybe even earlier) and it will work. In my opinion it is slightly …

[image] Giuseppe C.: And they won't, because tls-alpn-01 is literally another protocol over TLS on port 443. IMHO: based on their earlier decisions, mission statement, and statements of employees - if there were a way to securely offer HTTPS validation outside of tls-alpn-01 that is available…

Yes, they can. It's a bit out of scope for a webserver. The one advantage of tls-alpn-01 is avoid interfering with http routing or the webroot. So you can host websites for arbitrary clients, and nothing they can do will break validation. It makes sense for a big provider. But for a single user wi…

Automatically try replacing http with https in ACME challenge?

Feature Requests

MikeMcQ April 26, 2022, 7:11pm 2

This sounds like you may have a Palo Alto brand firewall. They recently changed a default setting. See here:

Topic		Replies	Views
Chicken-or-egg on port 443 vs 80 on challenge Help	26	633	January 1, 2025
Acme challenges over HTTPS Feature Requests	38	13516	April 10, 2022
Confusing instructions, again Help	12	1282	February 26, 2019
Is there a reason that the challenge can't be over port 443? Feature Requests	7	5386	November 12, 2017
Webroot: HTTP to HTTPS redirect causes problems? Issuance Tech	4	1854	April 19, 2023

Automatically try replacing http with https in ACME challenge?

Related topics