-
-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] fallback to HTTP-01 Challenge when of using TLS-ALPN-01 Challenge when attempting SSL #199
Comments
for example something like in the config would be a pretty intuitive way to do this i think: # Global ACME settings. Unless specified, ACME is disabled. [experimental.acme] dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory" enable_http-challenge_falback = true email = "test@example.com" registry_path = "./acme_registry" because the create you are already using supports this type of challenge already |
Sorry for my delayed reply. Thank you for your proposal and relevant information. I think falling back to HTTP-01 sounds maybe reasonable, I did never faced such a situation although. Honestly I did not get convinced that TLS-ALPN-01 is insufficient and I also think that it is a bit tricky to be integrated with the current mechanism. So we should carefully consider how the internal component of |
@junkurihara sorry for late replay, what about adding a secondary method of issuing certificates via the HTTP-01 Challenge? it would be very useful |
In a scenario where you are trying to renew a new certificate or failing the TLS-ALPN-01 challenge for the first time (human error in config, networking in docker container non-standard, etc), it would be nice and advantageous in production environments fall back on HTTP-01 Challenge.
my conversation with chatgpt:
TLS-ALPN-01 challenge is different from the HTTP-01 challenge in the way it verifies domain ownership. While both challenges are part of the ACME (Automatic Certificate Management Environment) protocol, they work in distinct ways:
How It Works: Certbot sets up a temporary HTTP server (on port 80) to serve a specific token at a well-known URL path (e.g., http://example.com/.well-known/acme-challenge/XYZ). The Certificate Authority (CA) sends an HTTP request to your domain, retrieves the token, and verifies it matches what it expects.
Port Requirement: The challenge requires port 80 (HTTP) to be accessible and free on the server.
Use Case: This is the most commonly used challenge, especially for websites that use HTTP/HTTPS traffic.
How It Works: The TLS-ALPN-01 challenge uses the Application-Layer Protocol Negotiation (ALPN) extension of TLS. Instead of creating an HTTP request, the CA connects directly to your server over port 443 (the HTTPS port) and attempts to negotiate a TLS handshake with a special ALPN protocol (acme-tls/1).
I'm a big fan. this project saved my ass and surprisingly works on an old Alpine linux server.
The text was updated successfully, but these errors were encountered: