Which client support tls-alpn challenge?


#1

i want to use the client in asuswrt merlin, just because port 80 has been blocked by ISP.

i can use acme.sh, but it seemed that this client doesn’t support tls-alpn.
any suggestions?

thanks a lot for help!


Now that TLS-SNI deprecated, how to to "authenticate" via port 443?
How to renew for Dynamic DNS host with no port 80?
443 port only, but tls-sni-01 is deprecated
Auto-certbot renew failure with message about firewall
What's the status on TLS-SNI-01 challenge
SNI to ALPN migration ubuntu 16.04 nginx
Using port 443 for renewal after TLS-SNI is disabled
Unable to auto renew certificates
Letsencrypt-auto not working any more
#2

Related: So how are we bringing TLS-ALPN to the masses?

TLS-SNI it’s not likely to be something that individual users will be using, at least not for a while.

These seams to support TLS-ALPN-01 (updated 2019-01-18):

Web servers compatible with TLS-ALPN-01:


Tls-alpn-01 support in certbot
Letsencrypt-auto renew no longer works
Auto-Renew Failing on HTTPS-only Server
ACME TLS-SNI-01 Email -- Inboud Port 80 closed by design
Renouvellement certificat en erreur (timeout)
What's the current recommendation for people for whom port 80 is blocked?
#3

i see, thanks a lot.
then can i renew a certification by some client through port 443?


#4

(2018-11-19: moved client list to first post)

Another solution would be a DNS challenge


#5

Two other ACME clients I know have TLS-ALPN-01 support:


#6

Thanks for replies, I’ll try them.


#7

#8

Net::ACME2 supports it as well.


#9

i use lego to get right certifications


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.


opened #11

#12

(I reopened the subject so answers can be posted to ask to update the list)


#13

@tdelmas Apache mod_md has added experimental support for TLS-ALPN-01 in the v1.99.0 release: https://github.com/icing/mod_md/releases/tag/v1.99.0


#14

you need a patched mod_ssl

Hope to see this upstreamed! Very exciting, we might be able to get back to ease-of-use of the TLS-SNI days.


#15

lighttpd 1.4.53 supports TLS-ALPN-01 without the need to shut down the web server to handle TLS-ALPN-01 verification challenges. (lighttpd still needs to be restarted to begin using updated certificates)

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL


#16

This post should be rewritten to emphasize that dehydrated supports TLS-ALPN-01 for cert renewals - so that it won’t be misinterpreted to read (as written):
“lighttpd 1.4.53 supports TLS-ALPN-01 …”


#17

dehydrated already have it’s own line:

I wanted to emphasis that you can use TLS-ALPN-01 with lighttpd (as you can with apache2). But I’ll try reorganize it.


#18

I meant the post just above mine: