Can I redirect tls-sni-01 challenges?


Short question: can you 301 redirect tls-sni-01 challenges to a central server to be verified?

Longer version: We’re looking at setting up a central server to issue certificates for a range of servers (none of which can easily run any of the letsencrypt clients directly).

Initially, I thought we could set up a central server, and run letsencrypt certonly in webroot mode, then get our front-end servers to 301 redirect any http-01 challenge to /webroot/.well-known/acme-challenge/XYZ on the central server.

But I’ve since realised some of our servers don’t listen on port 80 ruling this out.

So I believe my option now is to use standalone mode which issues tls-sni-01 challenges directly to port 443.

BUT, I’m not at all sure a 301 redirect of this sort of request would work since the TLC/SNI phase would have to complete before the server could issue a 301?

Can anyone who understands this more fully confirm is this is a non-starter?

It won’t work the way you’re describing it. TLS-SNI-01 works on a different layer than a HTTP 301 redirect.

What you could do - if your web server supports something like that - is send the TLS-SNI-01 requests to a different backend server (which might be certbot in standalone mode) that’s able to solve the challenge. Here’s an example for HAProxy:

1 Like

Thanks. I don’t think our config will allow that without some major changes.

Any other options for utilising letsencrypt with validation on port 443 without interrupting production services?

  • Central http-01 validation server. Not an option due to lack of port 80.
  • letsencrypt with --authenticator apache (if you’re running apache - we’re not)
  • anything else?

You can use DNS-01, which lets you verify domain ownership by creating a TXT record for your domain. Certbot currently doesn’t support this, but some of the other clients do (Bash, lego, etc.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.