Cert using tls-alpn fails for shortlived IP address identifier

youfu · July 2, 2025, 11:13am

I have trouble issue shortlived IP address certificate via tls-alpn-01. I can issue certificate for DNS names using the same setup on the same host but no luck for IP address.

I am using dehydrated as client and targetting staging environment. The generated self-signed certificate looks sane (double checked SAN and id-pe-acmeIdentifier part). The ALPN and SNI (in-addr.arpa reverse form) on the responder looks sane.

From Wireshark, I can see that multi-perspective validation give up on first try against my IP address. I tried to export SSL keylog from my acme-tls/1 responder, and the decrypted TLS 1.3 handshake looks perfect from my point of view.

Please help. Is it a server-side issue?

["url"]	"https://acme-staging-v02.api.letsencrypt.org/acme/chall/204974514/18325106073/4cVVnQ"
["status"]	"invalid"
["validated"]	"2025-07-02T10:35:06Z"
["error","type"]	"urn:ietf:params:acme:error:connection"
["error","detail"]	"Error getting validation data"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:connection","detail":"Error getting validation data","status":400}

youfu · July 2, 2025, 11:58am

Boulder PR #8020 did not set AddressesResolved and ResolverAddrs fields of ValidationRecord.

This does not pass checks in RecordsSane I think.

Created issue unable to issue shortlived IP address certificate using tls-alpn-01 · Issue #8286 · letsencrypt/boulder · GitHub

orangepizza · July 2, 2025, 1:32pm

I didn't see any announcement from staff it opened for public in staging, so I'd not surprise if it is locked behind account whitelist

youfu · July 2, 2025, 1:44pm

Staging environment no longer has allowlist limitation. I have checked before, the response was different.

mcpherrinm · July 2, 2025, 2:36pm

Yes, we have opened access for IP certificates in staging, though without much fanfare beyond that mention in the blog post.

We haven't done much of any testing with TLS-ALPN yet, so it is pretty likely that a bug slipped through. We'll take a look!

webprofusion · July 3, 2025, 2:57am

@mcpherrinm that's awesome it's available to try, as an aside I was able to get my first shortlived IP cert via staging using Certify Management Hub, using http validation, with a standard staging account.

Topic		Replies	Views
TLS-ALPN validation method API Announcements	2	19744	July 12, 2018
Tls-alpn-01 "Invalid acmeValidationV1 extension value" Client dev	12	3153	August 9, 2019
Certbot cert request fails for IP address in LE Staging Help	9	219	July 8, 2025
DNS challenge invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8690265661/M4TlHw Help	26	3247	December 19, 2020
Several Errors generating Certs Help	9	700	September 22, 2020

Cert using tls-alpn fails for shortlived IP address identifier

Related topics