Tls-alpn-01 support in certbot


#1

I realize it is a busy day on this forum due to the TLS-SNI-01 validation email, and I appreciate the community involvement and assistance.

Like many users, I am trying to determine the best alternative to TLS-SNI for my sistuation. I’ve noticed there are many users posting who seem to be in the same boat as me: they are happy to move to another solution, but they can’t (or don’t want to) use port 80. We also don’t use one of the supported DNS servers that woudl allow dns-01 validation. It appears that all other validation methods require port 80, except for TLS-ALPN, which is also one of the the solutions referenced in the email itself.

However, it appears that certbot does not yet support TLS-ALPN, at least not through all of its validation methods. I do see some reference to TLS-ALPN in the changelog, but if it is available presently, I certainly can’t get it to work, and it seems that others are having the same problem.

I do realize that there are other ACME clients out there, and many have suggested acme.sh, which looks like a great tool; however, certbot is the client referenced in the letsencrypt documentation and is the “recommended” client according to letsencrypt (see, for example, https://letsencrypt.org/docs/client-options/).

Based on the foregoing, wouldn’t it make more sense to delay the TLS-SNI “cutoff” until the proper replacement method, TLS-ALPN, is fully supported by certbot? Like many, I am concerned with making a change to another solution only to find support for TLS-ALPN in the future, and the further need to switch back. If I am wrong with my understanding of the current state of these tools, please let me know!

Again, thanks to the developers and others on this forum for all of the assistance.


#2

If you’re unable to use port 80, my recommendation is to migrate to the DNS challenge or the TLS-ALPN challenge. Unfortunately, Certbot will probably never be able to support TLS-ALPN for the Apache and Nginx plugins, because those web servers don’t expose configuration options for an external program to handle various ALPN settings (and it doesn’t make sense for them to start exposing such options).

One option for solving DNS challenges even if you don’t have a DNS provider with a good API is to run your own acme-dns instance. Note: You’d want to check first if your ISP blocks port 53. I’d be curious to hear from users of ISPs that block port 80 whether port 53 is also available. That will help us provide better advice to other users.

Thanks,
Jacob


#3

Hi,

Just for information, here is a list of clients that support TLS-ALPN:


#4

There is now a certbot issue to add support for TLS-ALPN-01

TLS-ALPN-01 support for Certbot #6724