TLS-ALPN-01 Validation?

Are there plans to incorporate TLS-ALPN-01 validation into the Certify application? I’m currently running into “roadblocks” that are (apparently) preventing me from using either HTTP-01 or DNS-01 validation. I’m not sure whether or not the TLS-ALPN-01 validation would actually be a solution to the issues I’m encountering but, in my extremely limited experience, I’m running out of ideas for how to finally get all of my SSL certificates migrated to Let’s Encrypt and automate the process of renewals so I can move on to other projects.

For a more detailed explanation of what I’m trying to accomplish, the issues I’m running into, and the questions I can’t seem to work out on my own, please refer to my question on StackOverflow:
Automated ACME subdomain SSL certificate generation for resources on different IP addresses

Hi, no TLS-ALPN-01 is basically like a fancy version of http validation - it still means that your domain has to point to the same server running validation (i.e. the server with Certify on it) but the response is not an http response, its a specially crafted TLS conversation.

We are probably not going to support it until our services is full migrated to .net 6 (the 4.x version of .net commonly found on computers can’t work with tls in the way that’s required). You could possibly use win-acme to do TLS-ALP-01 because it’s a single exe built using .net core but I can’t help there :slight_smile:

The solution you need is DNS validation, and if you don’t want to move to a DNS provider that has a supported API then you need to use DNS challenge delegation, this is where you create a CNAME (alias/redirection) record in DNS for each domain/subdomain that in turn points to a automated challenge validation service. The most common implementation of this is acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) which you generally host yourself, but they also provide a hosted one to try out.

The problem with not hosting your acme-dns yourself is that there is a risk that the provider of that service would theoretically be able to generate certificates for your domain, if they wanted to (or if they lost control of their server to a bad guy) for as long as you have a CNAME pointing to their service. To that end, we recently introduced Certify DNS, which is a cloud hosted, managed, alternative implementation of acme-dns (currently free in beta, but will eventually be a small monthly fee): certifydns | Certify The Web Docs

So basically, try Certify DNS. You just need access to your DNS control panel to setup those initial CNAME records for each certificate, from there on it will all be automatic.

1 Like

Thank you so much. The idea of implementing acme-dns honestly sounds like a great solution. I’m sure that moving my DNS zone to our domain registrar would probably work just fine since they do have an API I could use, but I like the idea of having the SSL validation separated and under my control, even if it requires some additional setup. I’ve not worked with Go before but I assume acme-dns can be run on a Windows server.

Generally you would install acme-dns on a linux server and it should be separate from any production web server etc because DNS is constantly subject to random traffic from the internet. You can make it work on windows but I wouldn’t recommend it.

Certify DNS (which is like acme-dns) is currently free, so you may want to try that service first before deciding if you want to run your own acme-dns instance, it just depends how comfortable you are setting up the acme-dns server stuff.

1 Like