Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge

Greetings. We are developing a client called tlstunnel which is designed to register certificates for incoming TLS connections on-demand, then proxy the connections to non-TLS services elsewhere. This is not designed to be a web server, and the http-01 challenge is not an option for us.

We have had success with the tls-alpn-01 challenge before, but this particular deployment is causing us esoteric problems. We are trying to register a certificate for and receiving the error in the topic subject, but little else:

DNS is set up correctly and port 443 faces the internet directly, not through any kind of firewall or reverse proxy. I've confirmed that ALPN is working in general via openssl s_client.

The config file we're using is the following:

In case anyone wants to try to reproduce this issue. We're using the master branch of tlstunnel and running it as root on Alpine Linux w/musl libc and Go 1.15.7 on amd64.

1 Like

My colleague found the issue:

It's pretty difficult to debug ACME client issues due to LE's restrictions, caching, and rate limits, even on the staging server.

1 Like

Pebble might be a better choice to test against in a case like this. It's self-hosted and has knobs to disable things like caching and no rate limits.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.