TLS-ALPN-01 verification - 403 unauthorized

t4exanadu · February 6, 2019, 12:14am

I am hosting 2 domains from the same dynamic IP. I recently switched from TLS-SNI-01 to TLS-ALPN-01 after receiving emails from letsencrypt about the EOL for the TLS-SNI-01 verification method. This issue begun upon switching to the new verification method. I was able to renew domain 1 with no issues (actually had to use the run argument in lego as if it was the first time getting a cert, but it worked). When I try to get a certificate for the other domain, aurorabox.tech, I get the output you see below. Port 444 is open and forwarded to the appropriate server.

I have not tried other methods. I’m reading mixed reviews about DNS-01 working with Namecheap, so I’m going to skip that for now. I could try http-01. provided that it will work on a nonstandard port such as 81, as port 80 is blocked by my ISP.

I’ve seen a number of posts about this particular error, but nothing I read seemed applicable to my case, unless I overlooked something. Any suggestions/help are greatly appreciated. I have not brought the issue up with the developer of lego as I don’t believe it’s an issue with that tool.

My domain is: aurorabox.tech

I ran this command:
sudo lego --tls --tls.port :444 --email="webmaster@aurorabox.tech" --domains="aurorabox.tech" --domains="www.aurorabox.tech" -a run

It produced this output:

2019/02/05 19:00:16 [INFO] [aurorabox.tech] AuthURL: https://acme-v02.api.letsencrypt.org    /acme/authz/-Y_Ifqno8y5tPVXf33bB0RVS4ydhnFAA96GFqu9i4Bk
2019/02/05 19:00:16 [INFO] [www.aurorabox.tech] AuthURL: https://acme-v02.api.letsencrypt.org /acme/authz/aR58ZA61ujr9kU6wWY3-7zpCDDyYK2VeEzenkeS-i4s
2019/02/05 19:00:16 [INFO] [aurorabox.tech] acme: use tls-alpn-01 solver
2019/02/05 19:00:16 [INFO] [www.aurorabox.tech] acme: use tls-alpn-01 solver
2019/02/05 19:00:16 [INFO] [aurorabox.tech] acme: Trying to solve TLS-ALPN-01
2019/02/05 19:00:28 [INFO] [www.aurorabox.tech] acme: Trying to solve TLS-ALPN-01
2019/02/05 19:00:38 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[aurorabox.tech] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
[www.aurorabox.tech] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:

My web server is (include version): nginx v1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04.1

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): lego v2.1.0

_az · February 6, 2019, 12:17am

Lego would place a TLS-ALPN listener on port 444 in this case, which would not be visible to the Let's Encrypt validation servers.

TLS-ALPN is operationally complicated because you either need to stop nginx while renewing (so lego can bind to port 443), or you need to do some pretty tricky ALPN-routing to allow h1,h2 to be routed to your regular nginx server, while acme-tls/1 gets routed to lego.

The best thing you can do is just to use HTTP-01 on port 80 - Best Practice - Keep Port 80 Open - Let's Encrypt . But obviously sometimes 80 is blocked by ISP.

Edit: In case it wasn't clear, TLS-ALPN must be performed over port 443 - that's not negotiable under ACME or the CAB/F rules.

t4exanadu · February 6, 2019, 12:21am

Ah, ok. I would have to change the port forwarding so 443 goes to the aurorabox.tech server instead of the other, as it does currently. That makes automating the certificate renewal impossible. Will http-01 work with a port other than 80, or does it have to be port 80?

_az · February 6, 2019, 12:23am

These are fixed requirements:

HTTP-01: port 80
TLS-ALPN-01: port 443

If I was in a situation like yours, I would change my nameserver hosting to somewhere like Cloudflare and use DNS-01. It is free, unambiguously better-performing than Namecheap’s nameservers and has first-class support in Certbot. There are also other good DNS hosts supported by Certbot.

rg305 · February 6, 2019, 12:26am

Opening port 80 doesn’t increase your risk.
If you can use 80 that would be the simplest.

t4exanadu · February 6, 2019, 12:26am

Thank you for the amazingly prompt feedback and help, I truly appreciate it! I will go the Cloudflare route, I have an account with them and I suppose it’s time I used it.

system · March 8, 2019, 12:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed authorization procedure: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge Help	5	40993	July 1, 2016
Tls-alpn-01 support in certbot Client dev	4	7840	March 1, 2019
What you need to know about TLS-SNI validation issues API Announcements	1	60883	January 18, 2018
Incorrect validation certificate for tls-sni-01 challenge again and again Help	14	3204	September 2, 2017
Certbot unauthorized Server	13	6353	August 10, 2017

TLS-ALPN-01 verification - 403 unauthorized

Related topics