i want to use the client in asuswrt merlin, just because port 80 has been blocked by ISP.
i can use acme.sh, but it seemed that this client doesn’t support tls-alpn.
any suggestions?
thanks a lot for help!
i want to use the client in asuswrt merlin, just because port 80 has been blocked by ISP.
i can use acme.sh, but it seemed that this client doesn’t support tls-alpn.
any suggestions?
thanks a lot for help!
Related: So how are we bringing TLS-ALPN to the masses?
TLS-SNI it’s not likely to be something that individual users will be using, at least not for a while.
These seem to support TLS-ALPN-01 (updated 2020-03-13):
v1.99.0 release: Release mod_md v1.99.0 · icing/mod_md · GitHub)Web servers compatible with TLS-ALPN-01:
i see, thanks a lot.
then can i renew a certification by some client through port 443?
(2018-11-19: moved client list to first post)
Another solution would be a DNS challenge
Two other ACME clients I know have TLS-ALPN-01 support:
Thanks for replies, I’ll try them.
Net::ACME2 supports it as well.
i use lego to get right certifications
(I reopened the subject so answers can be posted to ask to update the list)
@tdelmas Apache mod_md has added experimental support for TLS-ALPN-01 in the v1.99.0 release: https://github.com/icing/mod_md/releases/tag/v1.99.0
you need a patched mod_ssl
Hope to see this upstreamed! Very exciting, we might be able to get back to ease-of-use of the TLS-SNI days.
lighttpd 1.4.53 supports TLS-ALPN-01 without the need to shut down the web server to handle TLS-ALPN-01 verification challenges. (lighttpd still needs to be restarted to begin using updated certificates)
https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL
This post should be rewritten to emphasize that dehydrated supports TLS-ALPN-01 for cert renewals - so that it won’t be misinterpreted to read (as written):
“lighttpd 1.4.53 supports TLS-ALPN-01 …”
dehydrated already have it's own line:
I wanted to emphasis that you can use TLS-ALPN-01 with lighttpd (as you can with apache2). But I'll try reorganize it.
I meant the post just above mine:
Just to add that ualpn should make TLS-ALPN-01 work with any webserver, without downtime.
This is no longer experimental; the branch is now merged to master. Note that the proxying tls-alpn-01 responder is a standalone program and does not necessarily require uacme; it shouldn't be difficult to integrate other ACME clients with it.
Edit: forgot to mention a short tutorial on how to get tls-alpn-01 working