Cannot negotiate alpn protocol "acme-tls/1" for tls-alpn-01 challenge

My domain is: petman.asrevo.com
iam trying to build ssl generator in java using (acme4j) it currently working with dns validation
now iam trying to use also alpn my server running behind aws nlb

It produced this output:
however i enabled h2 ,alpn on spring-webflux (reactor-netty) server
i am getting this error cannot negotiate alpn protocol "acme-tls/1" for tls-alpn-01 challenge

Hi @ashraf-revo, and welcome to the LE community forum

Please provide as much information as possible.
[the error message alone is not enough]

---

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

acme4j supports TLS-ALPN-01, so you are likely hitting a configuration issue on your AWS load balancer OR have an issue implementing it it.

i would probably try to troubleshoot the first scenario by setting up a microservice behind the load balancer that can speak tls-alpn-01 and ensuring you can communicate correctly. I would also use Pebble (Issues · letsencrypt/pebble · GitHub) to work this all out, then graduate to letsencrypt's staging servers, before using the live version.

For the second scenario, double check that you are conforming to the docs (tls-alpn-01 Challenge - acme4j) and test the authorization certificate it generates to ensure you made the right one.

Other people here may have more insights.

@rg305 acme4j is a library for building ACME into applications. this is basically a client-dev question, not a general help one.

Pint taken.
But again:

100% agreed that error message is not enough. I know what they're doing, and the best response I could give is suggest generic troubleshooting of 2 things that seem more likely than others to be the cause right now.

Does AWS NLB support arbitrary TLS ALPNs?

These are the only options that are presented to me in the EC2 console:

It seems like it only really supports the h2 ALPN. If it won't negotiate acme-tls/1 (rather than falling back to None), then I don't think you'll be able to get this working.

While I have not used AWS NLB, I can confirm that I had to switch from TLS-ALPN-01 on sites that I placed behind Cloudflare. If the TLS connection terminates on the AWS NLB and is then transported via a new connection to the origin server, I would expect the TLS-ALPN-01 will not be an option.

thanks for your response
this is image that check if alpn is working

so i think its not a aws nlb problem

this is the certificates that i generated using java acmj

-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIGAYdMap+1MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNVBAMM
DGFjbWUuaW52YWxpZDAeFw0yMzA0MDQxMzE3NDhaFw0yMzA0MTExMzE3NDhaMBcx
FTATBgNVBAMMDGFjbWUuaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALj38sOgOGxCDHhGttmoy5NALjANE2abZaU964PsqOXC+YLOKzYE3+c2
gFnVKYpMZV4eeguqvojxTTHhw4Hr3IEhZtQ6CGAQAKQJ4R7L6IX/RqX6O5rz8og/
v6x8qvZiCwUrCxUVJM+TsGnPChf3/2W4JEJQflimaAvXk6pmW43NNto+ynj/ieux
nAVAEGDNT6n/jhDi/tIF8uHz7+aIc/xAqd58EsqfzZ5pK2qUcCLZlTHYre48QF6E
M/SpxP+76fXO31y4PNhFHi9bMM30RndHZ+MfkH97l4hQYKqjn8Mtu0hLrvUihZFc
Y2r+UbyxK1yJt6r5uwhG4MTY+Clrc0UCAwEAAaNTMFEwHAYDVR0RBBUwE4IRcGV0
bWFuLmFzcmV2by5jb20wMQYIKwYBBQUHAR8BAf8EIgQgLuMq5Gvmz9BNvZ3rGDYK
SKt1gf+ki40SIm4YkIgymJswDQYJKoZIhvcNAQELBQADggEBAJcc9XPjJsfCsmjo
3pdLDcjrGXpJik6WkEZSQlB1SqwcQa22yoJwMBK+huxp0B58xzyEmp38AHTVav3/
R85rZWULNSI3YQzZSe6wCSDs5E7d+F+Ph0lxOijci6c8TUZX/nEu5rL8vPCOsGSI
X4FNqb7HnZ8hsJ8CML217VUvxi8l/80UZ0tIX4AbWmYvVUqJa8yvR+qnVnVSw+sj
DhIpZHjEg4ToaTDT6RoiLL3CR21HbgVYAXyisVr7MEsguBUHaQH8fwgUCKtb8W85
BanGaAQsmLaBxD0qc1C4fEeJEb4MIIAI/r7e4l0au+unzjbwRK2K+U1NXdLqCuJj
3LBczMI=
-----END CERTIFICATE-----

also my site response with the certificates that generated before

sorry for not follow the template because most of those not fit with my case
for example i dont have server iam building it as mention using spring and netty in java
operating system is linux and in aws as i mention
host is aws
no command used i fail to validate the certificate by tls challenge

the error iam getting is cannot negotiate alpn protocol "acme-tls/1" for tls-alpn-01 challenge
so i want to know what might casue this error in my custom server
it response with http2 with alpn enabled and the certifcate that was generated

How exactly does this screenshot invalidate the possibility of AWS NLB as the problem? You would need to test without AWS NLB and with AWS NLB to make that determination.

Expanding on this: That image shows the platform can support h2 and ALPN in general, but it does not indicate what it supports (or how) in the context of being a load balancer and proxying connections. In other words, it suggests external clients can talk h2/alpn to the load balancer, but it does not suggest anything about how the load balancer speaks to backend services.

thanks all
i manged solving this issue
the problem was that i should make the java netty server return acme-tls/1 only when negotiate process it was just passing http11,http2

that is why it was saying cannot negotiate alpn protocol "acme-tls/1" for tls-alpn-01 challenge error

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.