Which client support tls-alpn challenge?

Related: So how are we bringing TLS-ALPN to the masses?

TLS-SNI it’s not likely to be something that individual users will be using, at least not for a while.

These seams to support TLS-ALPN-01 (updated 2020-03-13):

Web servers compatible with TLS-ALPN-01:

2 Likes

i see, thanks a lot.
then can i renew a certification by some client through port 443?

(2018-11-19: moved client list to first post)

Another solution would be a DNS challenge

1 Like

Two other ACME clients I know have TLS-ALPN-01 support:

1 Like

Thanks for replies, I’ll try them.

1 Like

Net::ACME2 supports it as well.

2 Likes

i use lego to get right certifications

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

(I reopened the subject so answers can be posted to ask to update the list)

2 Likes

@tdelmas Apache mod_md has added experimental support for TLS-ALPN-01 in the v1.99.0 release: https://github.com/icing/mod_md/releases/tag/v1.99.0

4 Likes

you need a patched mod_ssl

Hope to see this upstreamed! Very exciting, we might be able to get back to ease-of-use of the TLS-SNI days.

1 Like

lighttpd 1.4.53 supports TLS-ALPN-01 without the need to shut down the web server to handle TLS-ALPN-01 verification challenges. (lighttpd still needs to be restarted to begin using updated certificates)

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

4 Likes

This post should be rewritten to emphasize that dehydrated supports TLS-ALPN-01 for cert renewals - so that it won’t be misinterpreted to read (as written):
“lighttpd 1.4.53 supports TLS-ALPN-01 …”

dehydrated already have it’s own line:

I wanted to emphasis that you can use TLS-ALPN-01 with lighttpd (as you can with apache2). But I’ll try reorganize it.

1 Like

I meant the post just above mine:

1 Like

Just to add that ualpn should make TLS-ALPN-01 work with any webserver, without downtime.

This is no longer experimental; the branch is now merged to master. Note that the proxying tls-alpn-01 responder is a standalone program and does not necessarily require uacme; it shouldn’t be difficult to integrate other ACME clients with it.

Edit: forgot to mention a short tutorial on how to get tls-alpn-01 working

2 Likes

I’ve also written an experimental Certbot plugin: