Help with dehydrated validation using tln-alpn

My domain is : pideya.for-some.biz:

Runnning on Ubuntu Linux :
~# python3 responder.py &
~# ./dehydrated -c -f config

And having this line on the config file:
CHALLENGETYPE=“tls-alpn-01”

It produced this output:

ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “tls-alpn-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:tls”,
“detail”: “remote error: tls: handshake failure”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3744200891/gCKnQQ”,
“token”: “AoB0DoK8CF-3DCbMUO7qvZQNBLVhsL-n58dz0q_x3-k”,
“validationRecord”: [
{
“hostname”: “pideya.for-some.biz”,
“port”: “443”,
“addressesResolved”: [

The version of dehydrated clien is:
Dehydrated version: 0.6.5

One of the problems i saw was that the FALLBACK_CERTIFICATE is one of the snakeoil certificates , i have several domains on the server, then the challenge can not be successful because of the other certificates, then i tried using an expired pideya.for-some.biz certificate but no luck.

Any help to address this issue, please?

1 Like

Well, I guess step one would be to verify that the responder works at all.

Do you see a fallback certificate if you run this on the server, while the responder is running?

openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org

The responder should also print:

Got request for foo.org

Thanx i got this using port 10443:

openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org
3072300800:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
3072300800:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
3072300800:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
3072300800:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=111

And using port 443

openssl s_client -connect localhost:443 -alpn acme-tls/1 -servername foo.org CONNECTED(00000003)
3072108288:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1544:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 326 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1585955281
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

Thank you!

:confused: Did you change the port number in responder.py or something?

Hi _az, i 'd changed port in responder.py to 443, returned it to 10443.

Yesterday i could renew www.openfactware.com domain using dns challange, but the domain i want to renew ,pideya.for-some.biz. is on dyndns where i can’t add TXT records, so thats the reason to try tls-alpn with no luck, hereis the new outputs i got::

For openssl:

openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org

CONNECTED(00000003)
Got request for foo.org
depth=0 CN = www.openfactware.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = www.openfactware.com
verify return:1

Certificate chain
0 s:/CN=www.openfactware.com
i:/CN=www.openfactware.com

Server certificate
-----BEGIN CERTIFICATE-----

And for dehydrated:

Processing pideya.for-some.biz

  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for pideya.for-some.biz
  • Generating ALPN certificate and key for pideya.for-some.biz…
  • 1 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for pideya.for-some.biz authorization…
  • Cleaning challenge tokens…
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    “type”: “tls-alpn-01”,
    “status”: “invalid”,
    “error”: {
    “type”: “urn:ietf:params:acme:error:connection”,
    “detail”: “Connection refused”,
    “status”: 400
    },
    “url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3757328921/8Y_-Ew”,
    “token”: “Tp3jYFXB6Duu-JyFSY8N9-tNuMatfkz0RDVtpwwzrsc”,
    “validationRecord”: [
    {
    “hostname”: “pideya.for-some.biz”,
    “port”: “443”,
    “addressesResolved”: [

Greetings…

1 Like

Okay, so the responder works, just apparently not when you had the port changed to 443.

Possibly a dumb question, but did you stop Apache before you started responder.py (with the port set to 443)?

It might also be helpful to open two terminals and run responder.py in the foreground (without the &) in one of them, so you see all the output it generates.

1 Like

You could try ualpn, which is a proxying tls-alpn-01 responder. Even though it is part of uacme, it can be integrated with any client, including dehydrated. I can help if you’re willing to give it a go.

1 Like

good to know it worked for you.

1 Like

It didn’t work i have to change dns ip and host to work with certbot, still will be nice to have a guide to validate certificates using just 443 port.

Greetings.

1 Like

So why did you mark my earlier post as “Solution”? The link I posted is a tutorial to do exactly what you want.

Edit: I’ve made a Certbot plugin, see Bringing TLS-ALPN-01 authentication to Certbot

1 Like

using dehydrated i’m a little confuse when i check for the cli help

./dehydrated --help
that the challange parameter is fot http-01 and dns-01

–challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported

My dehydrated version is :
Dehydrated version: 0.6.5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.