@gorillabiscuit
Does FortiOS use TLS-ALPN-01?
[I would not think so]
1 Like
Greetings. I know that all of my certs were issues as tls-alpn-01. So, I figure I should be able to generate new ones.
What I've found is that the test server is working ok. When I attempt to create a cert with the production server, I am told that tls-alpn isn't supported:
The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01
I'm using acme.sh.
Is this an issue with the service, or am I seeing something with the tool? IOW, is there a change to the tool needed to deal with the change being made?
This does seem to be a bug in acme.sh: The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01 ยท Issue #3910 ยท acmesh-official/acme.sh ยท GitHub
3 Likes
Yes, there is is. Cool. Thanks.
1 Like
...actually, the bug report claims that it is Let's Encrypt that has disabled the method.
How can we determine which side is not behaving?
I think we've figured it out: this is not an acme.sh bug, it just happens to be the client where we first saw this behaviour.
If an ACME order was created during the few hours yesterday when the TLS-ALPN-01 challenge was disabled, that order will not offer ALPN as a validation option - even though we've since reactivated it for new orders.
As a workaround, you can go ahead and deliberately fail either one of the offered challenges (DNS-01 or HTTP-01), then try again. That will cause your next issuance attempt to create a new order, which will offer TLS-ALPN-01.
We're working now to see if we can fix this more elegantly on our side.
7 Likes
I use the following script to renew my certificates and it runs on the 01st of every month:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
So to solve this problem I just need to run this script today manually?
thanks for your help
Traefik makes TLS-ALPN-01 pretty easy to use without really knowing how fancy it is. That's the boat I'm in right now.
NOT OFFICIALLY CONFIRMED YET
[expecting a public statement from FN soon]
But my source at Fortinet has found that FortiOS is NOT affected to the oncoming LE TLS-ALPN-01 revocation; As FortiOS doesn't use the TLS-APLN-01 authentication type.
seo tags: fortinet firewall fortios tls-alpn-01
3 Likes
While trying to follow pieced together steps from this post/forum specific to getting my ACME client to force renew my certs, I have unwittingly hit the rate limit for duplicate certificates on multiple domains. I have since figured out what I was doing wrong and successfully renewed a few certs. However one domain that is important to me is up against the duplicate cert limit. Is it possible to get this limit removed/relaxed before the Friday revocations?
@edwardjamesgaff
Can't you just use any of the 5 certs that were recently created?
1 Like
I deleted them since the only way to get my ACME client to do a force renew is to delete the certs. Long story short, I had a few issues going on and I deleted the certs multiple times because I thought that would resolve my issues and was not aware of the consequences of doing so. For the one important domain that is against the limit I restored the backup of the cert from before I tried to renew. But I didn't create backups of the newly created certs so they are lost.
Any certs renewed today would NOT have the TLS-ALPN-01 problem.
The only quick "workaround" is to request a cert with more (or less) names on it [so that it isn't "the exact same set of names"].
3 Likes
The problem is I've deleted all certs that were created today for the domain that is at the limit. The only cert I still have is from before today. I'll look into the workaround you've suggested. I've also been contacted by James to help with the issue. Thanks for the help.
3 Likes
We've fixed this on our side, so @beewoolie and others in the same situation should now be able to renew without any workarounds. Thanks for your patience!
6 Likes
I already ran this code and my certificates for several domains and subdomains were renewed with the dates: 01/26/2022 - 04/26/2022.
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
Is it solved with that? How can I know if I will not have problems on 01/28/2022?
So you're renewing every 30-ish days instead of the recommended 60 days? 
That sounds like a waste of Let's Encrypt resources?
2 Likes
Hi,
im currently having some problems with traefik. I am unable to regenerate certificates despite deleting the acme.json file as recommended in multiple posts in this thread. Only the private key was generated.
Currently what im getting is this error
traefik | time="2022-01-27T08:04:51Z" level=error msg="Unable to obtain ACME certificate for domains \"___.something.com\": unable to generate a certificate for the domains [___.something.com]: error: one or more domains had a problem:\n[___.something.com] [___.something.com] acme: error presenting token: timeout 2022-01-27 08:04:21.62587201 +0000 UTC m=+58495.349676150\n" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=api@file rule="Host(___.something.com)"
@jillian for the list of "Notes and Starting Points for Specific Clients", I would like to mention that for ASP.NET developers who use the LettuceEncrypt library as their Let's Encrypt client, there's GitHub issue [Question] How to renew certificates to fix Let's Encrypt revocations bug ยท Issue #238 ยท natemcmaster/LettuceEncrypt ยท GitHub which contains a solution for this problem.
4 Likes
Same issue from my traefik 
. And now i have reach the rate-limit "too many new orders recently"