Feature #2931

Support for TLS-ALPN-01

Added by DavidAnderson684 9 months ago. Updated 9 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


With the removal of TLS-SNI-01 as a validation method (, it will become very challenging to use LetsEncrypt or any other certificate vendor based on the ACME protocols with lighttpd (see for some discussion). Other validation methods involve ability to manipulate DNS records or having a dedicated/unique IP address for the website, which for many users is not possible in their environment, or very challenging to automate for renewals.

TLS-ALPN-01 is available as a new possibility, but requires dedicated webserver support. Here is an implementation for Apache: . The benefit of implementing it is that it will restore the situation of allowing easy/automated ACME/LetsEncrypt renewals without a unique IP address or ability to manipulate DNS records on-the-fly.

Associated revisions

Revision b17d3c24 (diff)
Added by gstrauss 9 months ago

[mod_openssl] ALPN and acme-tls/1 (fixes #2931)

ssl.acme-tls-1 = "/path/to/dir" containing .crt.pem and .key.pem
named with the SNI name ("<SNI>.crt.pem" and "<SNI>.key.pem")

"Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension"
"ACME TLS ALPN Challenge Extension" (TLS-ALPN-01)
"Support for TLS-ALPN-01"



Updated by gstrauss 9 months ago

  • Category set to TLS

The draft expired 1 Dec 2018. Do you have any current link to its status?


Updated by gstrauss 9 months ago

  • Priority changed from Normal to Low

There's over 17,000 lines of code in mod_md/src/*.[ch]. That is a large amount of code. (I have not looked any further at the code)

I have previously looked at ALPN with regards to HTTP/2 and hope that general ALPN support can be incorporated with much less code. However, the specifics for TLS-ALPN-01 might require much more work. As such, I am marking this low priority. A shorter-term solution might be to identify ALPN requests and allow an external script of some sort to handle "tls-alpn-01"


Updated by gstrauss 9 months ago

I posted some untested code to personal/gstrauss/master branch on after reading the TLS-ALPN-01 challenge spec.
See DevelGit for instructions how to access the git repository.


Updated by gstrauss 9 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.53

Tested with

The results from dehydrated is a cert.pem and privkey.pem, which still need to be concatenated into a single file for lighttpd, and lighttpd needs to be restarted to pick up the new certificate.


Updated by gstrauss 9 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Updated by DavidAnderson684 9 months ago

Thank you! If I use the PayPal donate button on the right, does that go to you?


Updated by gstrauss 9 months ago

It goes to us, yes. Thank you for your support.


Updated by DavidAnderson684 9 months ago

Thank you! I have just donated.

Also available in: Atom