Can I redirect tls-sni-01 challenges?

davidqc · May 25, 2016, 2:24pm

Hi,

Short question: can you 301 redirect tls-sni-01 challenges to a central server to be verified?

Longer version: We’re looking at setting up a central server to issue certificates for a range of servers (none of which can easily run any of the letsencrypt clients directly).

Initially, I thought we could set up a central server, and run letsencrypt certonly in webroot mode, then get our front-end servers to 301 redirect any http-01 challenge to /webroot/.well-known/acme-challenge/XYZ on the central server.

But I’ve since realised some of our servers don’t listen on port 80 ruling this out.

So I believe my option now is to use standalone mode which issues tls-sni-01 challenges directly to port 443.

BUT, I’m not at all sure a 301 redirect of this sort of request would work since the TLC/SNI phase would have to complete before the server could issue a 301?

Can anyone who understands this more fully confirm is this is a non-starter?

pfg · May 25, 2016, 2:30pm

It won’t work the way you’re describing it. TLS-SNI-01 works on a different layer than a HTTP 301 redirect.

What you could do - if your web server supports something like that - is send the TLS-SNI-01 requests to a different backend server (which might be certbot in standalone mode) that’s able to solve the challenge. Here’s an example for HAProxy: https://www.cloudoptimizedsmb.com/articles/20160409-00/using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic

davidqc · May 25, 2016, 3:07pm

Thanks. I don’t think our config will allow that without some major changes.

Any other options for utilising letsencrypt with validation on port 443 without interrupting production services?

Central http-01 validation server. Not an option due to lack of port 80.
letsencrypt with --authenticator apache (if you’re running apache - we’re not)
anything else?

pfg · May 25, 2016, 3:10pm

You can use DNS-01, which lets you verify domain ownership by creating a TXT record for your domain. Certbot currently doesn’t support this, but some of the other clients do (Bash, lego, etc.)

system · June 24, 2016, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Https challenge for certificate renewal Issuance Tech	5	3722	March 6, 2016
Proposal add into FAQ how to use HTTP-01 + webroot without redirecting .well-known/acme-challenge Server	2	991	May 11, 2019
My server redirects port 80 to 443, and certbot bails when using --manual Issuance Policy	5	6045	July 6, 2016
Certbot - HTTP Challenge with NGINX and HTTP to HTTPS Redirects Help	4	4938	June 21, 2017
Need for HTTP at all Server	6	1603	February 12, 2017

Can I redirect tls-sni-01 challenges?

Related topics