Using port 443 for renewal after TLS-SNI is disabled

I split your post into a separate discussion.

Certbot doesn't support TLS-ALPN at all.

You might look at this thread: Which client support tls-alpn challenge?

Unfortunately, TLS-ALPN is operationally a lot more complicated than TLS-SNI was. Native webserver support is very sparse.

For example, if you want to use e.g. acme.sh's TLS-ALPN support, the suggested workflow is to stop nginx (in a pre-hook), run acme.sh (it will bind to port 443 and perform renewal), and then start nginx again (in a post-hook).

If you have nginx compiled with the SSL pre-read module, you can do it without stopping your server, but it causes some convoluted configuration.

lego also supports TLS-ALPN in a similar way (standalone mode).

Finally, you can also totally replace or front nginx with Caddy, which makes using TLS-ALPN very easy, but it's a pretty big change to your infrastructure.

The tl;dr; is, if you can keep 80 open or use the DNS challenge, it simplifies things a lot. Using TLS-ALPN is not very convenient at the moment, but not impossible.

Edit:

HSTS is a browser thing, not an HTTP protocol thing. It doesn't affect the ACME protocol, so you can keep using 80 in its presence.

2 Likes