I have a server which is using client certificates for authentication. Client certificates are required and verified against a custom local CA (the only one in the pool), so that only authorized clients can connect. Of course, this means that when the tls-sni-01 validator connects to complete the challenge it gets rejected.
My question is if the tls-sni-01 validator sends a client-certificate I could add to the CA pool (so it could be verified)? Alternatively, I know the FAQ says the validator IPs may change, but maybe there is some other criteria I could use to determine if a request is from the letsencrypt validator and disable client-certificate verification for that request?
tls-sni-01 is much more convenient, but is dns-based verification my only option?
Client certificates aren’t part of the ACME protocol and so they aren’t sent by Let’s Encrypt for the TLS-SNI-01 validation. Unfortunately, I think the consequence of this is what you thought: you won’t be able to use TLS-SNI-01 validation in your environment.
But you might consider using the criterion that the SNI name requested ends in .acme.invalid. This could be more attack surface than you want, but arguably no virtualhost/request router will match such a name outside of the context of TLS-SNI-01 validation, and so requests could still be rejected quickly if they aren’t legitimate.