Which client support tls-alpn challenge?


i want to use the client in asuswrt merlin, just because port 80 has been blocked by ISP.

i can use acme.sh, but it seemed that this client doesn’t support tls-alpn.
any suggestions?

thanks a lot for help!

Now that TLS-SNI deprecated, how to to "authenticate" via port 443?
How to renew for Dynamic DNS host with no port 80?
443 port only, but tls-sni-01 is deprecated
Auto-certbot renew failure with message about firewall
What's the status on TLS-SNI-01 challenge
SNI to ALPN migration ubuntu 16.04 nginx
Using port 443 for renewal after TLS-SNI is disabled
Unable to auto renew certificates
Letsencrypt-auto not working any more

Related: So how are we bringing TLS-ALPN to the masses?

TLS-SNI it’s not likely to be something that individual users will be using, at least not for a while.

These seams to support TLS-ALPN-01 (updated 2019-01-18):

Web servers compatible with TLS-ALPN-01:

Tls-alpn-01 support in certbot
Letsencrypt-auto renew no longer works
Auto-Renew Failing on HTTPS-only Server
ACME TLS-SNI-01 Email -- Inboud Port 80 closed by design
Renouvellement certificat en erreur (timeout)
What's the current recommendation for people for whom port 80 is blocked?

i see, thanks a lot.
then can i renew a certification by some client through port 443?


(2018-11-19: moved client list to first post)

Another solution would be a DNS challenge


Two other ACME clients I know have TLS-ALPN-01 support:


Thanks for replies, I’ll try them.



Net::ACME2 supports it as well.


i use lego to get right certifications

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

opened #11


(I reopened the subject so answers can be posted to ask to update the list)


@tdelmas Apache mod_md has added experimental support for TLS-ALPN-01 in the v1.99.0 release: https://github.com/icing/mod_md/releases/tag/v1.99.0


you need a patched mod_ssl

Hope to see this upstreamed! Very exciting, we might be able to get back to ease-of-use of the TLS-SNI days.


lighttpd 1.4.53 supports TLS-ALPN-01 without the need to shut down the web server to handle TLS-ALPN-01 verification challenges. (lighttpd still needs to be restarted to begin using updated certificates)



This post should be rewritten to emphasize that dehydrated supports TLS-ALPN-01 for cert renewals - so that it won’t be misinterpreted to read (as written):
“lighttpd 1.4.53 supports TLS-ALPN-01 …”


dehydrated already have it’s own line:

I wanted to emphasis that you can use TLS-ALPN-01 with lighttpd (as you can with apache2). But I’ll try reorganize it.


I meant the post just above mine: