TLS-ALPN-01 verification - 403 unauthorized

I am hosting 2 domains from the same dynamic IP. I recently switched from TLS-SNI-01 to TLS-ALPN-01 after receiving emails from letsencrypt about the EOL for the TLS-SNI-01 verification method. This issue begun upon switching to the new verification method. I was able to renew domain 1 with no issues (actually had to use the run argument in lego as if it was the first time getting a cert, but it worked). When I try to get a certificate for the other domain,, I get the output you see below. Port 444 is open and forwarded to the appropriate server.

I have not tried other methods. I’m reading mixed reviews about DNS-01 working with Namecheap, so I’m going to skip that for now. I could try http-01. provided that it will work on a nonstandard port such as 81, as port 80 is blocked by my ISP.

I’ve seen a number of posts about this particular error, but nothing I read seemed applicable to my case, unless I overlooked something. Any suggestions/help are greatly appreciated. I have not brought the issue up with the developer of lego as I don’t believe it’s an issue with that tool.

My domain is:

I ran this command:
sudo lego --tls --tls.port :444 --email="" --domains="" --domains="" -a run

It produced this output:

2019/02/05 19:00:16 [INFO] [] AuthURL:    /acme/authz/-Y_Ifqno8y5tPVXf33bB0RVS4ydhnFAA96GFqu9i4Bk
2019/02/05 19:00:16 [INFO] [] AuthURL: /acme/authz/aR58ZA61ujr9kU6wWY3-7zpCDDyYK2VeEzenkeS-i4s
2019/02/05 19:00:16 [INFO] [] acme: use tls-alpn-01 solver
2019/02/05 19:00:16 [INFO] [] acme: use tls-alpn-01 solver
2019/02/05 19:00:16 [INFO] [] acme: Trying to solve TLS-ALPN-01
2019/02/05 19:00:28 [INFO] [] acme: Trying to solve TLS-ALPN-01
2019/02/05 19:00:38 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
[] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:

My web server is (include version): nginx v1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04.1

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): lego v2.1.0

Lego would place a TLS-ALPN listener on port 444 in this case, which would not be visible to the Let's Encrypt validation servers.

TLS-ALPN is operationally complicated because you either need to stop nginx while renewing (so lego can bind to port 443), or you need to do some pretty tricky ALPN-routing to allow h1,h2 to be routed to your regular nginx server, while acme-tls/1 gets routed to lego.

The best thing you can do is just to use HTTP-01 on port 80 - Best Practice - Keep Port 80 Open - Let's Encrypt . But obviously sometimes 80 is blocked by ISP.

Edit: In case it wasn't clear, TLS-ALPN must be performed over port 443 - that's not negotiable under ACME or the CAB/F rules.

1 Like

Ah, ok. I would have to change the port forwarding so 443 goes to the server instead of the other, as it does currently. That makes automating the certificate renewal impossible. Will http-01 work with a port other than 80, or does it have to be port 80?

These are fixed requirements:

HTTP-01: port 80
TLS-ALPN-01: port 443

If I was in a situation like yours, I would change my nameserver hosting to somewhere like Cloudflare and use DNS-01. It is free, unambiguously better-performing than Namecheap’s nameservers and has first-class support in Certbot. There are also other good DNS hosts supported by Certbot.

1 Like

Opening port 80 doesn’t increase your risk.
If you can use 80 that would be the simplest.

Thank you for the amazingly prompt feedback and help, I truly appreciate it! I will go the Cloudflare route, I have an account with them and I suppose it’s time I used it. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.