Can I redirect tls-sni-01 challenges?


#1

Hi,

Short question: can you 301 redirect tls-sni-01 challenges to a central server to be verified?

Longer version: We’re looking at setting up a central server to issue certificates for a range of servers (none of which can easily run any of the letsencrypt clients directly).

Initially, I thought we could set up a central server, and run letsencrypt certonly in webroot mode, then get our front-end servers to 301 redirect any http-01 challenge to /webroot/.well-known/acme-challenge/XYZ on the central server.

But I’ve since realised some of our servers don’t listen on port 80 ruling this out.

So I believe my option now is to use standalone mode which issues tls-sni-01 challenges directly to port 443.

BUT, I’m not at all sure a 301 redirect of this sort of request would work since the TLC/SNI phase would have to complete before the server could issue a 301?

Can anyone who understands this more fully confirm is this is a non-starter?


Gitlab cert renewal fails
#2

It won’t work the way you’re describing it. TLS-SNI-01 works on a different layer than a HTTP 301 redirect.

What you could do - if your web server supports something like that - is send the TLS-SNI-01 requests to a different backend server (which might be certbot in standalone mode) that’s able to solve the challenge. Here’s an example for HAProxy: https://www.cloudoptimizedsmb.com/articles/20160409-00/using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic


#3

Thanks. I don’t think our config will allow that without some major changes.

Any other options for utilising letsencrypt with validation on port 443 without interrupting production services?

  • Central http-01 validation server. Not an option due to lack of port 80.
  • letsencrypt with --authenticator apache (if you’re running apache - we’re not)
  • anything else?

#4

You can use DNS-01, which lets you verify domain ownership by creating a TXT record for your domain. Certbot currently doesn’t support this, but some of the other clients do (Bash, lego, etc.)


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.