TLS-ALPN-01 Challenge
The TLS-ALPN-01 Challenge validates domain control through a TLS handshake on port 443, useful when port 80 is blocked.
How does it work?​
Step by step:
- Let's Encrypt generates a unique token
- ACME client creates a temporary self-signed certificate with the token
- Server responds on port 443 with ALPN protocol
acme-tls/1 - Let's Encrypt verifies the token via certificate extension
- Real certificate is issued after validation
When to use TLS-ALPN-01?​
| Scenario | Why use TLS-ALPN-01? |
|---|---|
| Port 80 blocked | Firewall or ISP blocks HTTP |
| HTTPS only | Server only accepts TLS connections |
| No DNS access | Cannot create TXT records |
Requirements​
- Port 443 publicly accessible
- Server capable of responding with ALPN protocol
acme-tls/1 - ACME client support for TLS-ALPN-01
Using with Certbot​
Certbot does not natively support TLS-ALPN-01. Use alternatives:
Caddy (native support)​
Caddy has built-in support and automatically chooses the best method:
# Caddyfile - Automatic HTTPS
domain.com {
reverse_proxy localhost:3000
}
acme.sh with standalone TLS​
# Standalone on port 443
acme.sh --issue --alpn -d domain.com
# With web server running (requires temporary stop)
acme.sh --issue --alpn --standalone -d domain.com
Traefik​
Traefik natively supports TLS-ALPN-01:
# traefik.yml
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: acme.json
tlsChallenge: {} # Uses TLS-ALPN-01
Limitations​
TLS-ALPN-01 does NOT support:
- Wildcard certificates (
*.domain.com) - Multiple domains in a single challenge
For these cases, use DNS-01 Challenge.
Advantages and Disadvantages​
Advantages:
- Works when port 80 is blocked
- Validation entirely via TLS (more secure in some scenarios)
- Does not require DNS access
Disadvantages:
- Does not support wildcards
- Fewer ACME clients support it
- Requires ALPN-capable server
- More complex to debug
Method comparison​
| Feature | HTTP-01 | DNS-01 | TLS-ALPN-01 |
|---|---|---|---|
| Required port | 80 | None | 443 |
| Wildcard | No | Yes | No |
| Internal server | No | Yes | No |
| Complexity | Low | Medium | Medium |
| Support | Wide | Wide | Limited |