Home

Awesome

Certbot TLS-ALPN-01 ualpn authenticator plugin

This plugin allows Certbot to validate your domains using ualpn, uacme's stand-alone tls-alpn-01 challenge responder. Unlike other tls-alpn-01 responders, ualpn also transparently proxies regular TLS connections and therefore it does NOT cause any webserver downtime.

To install first download and install ualpn:

> mkdir uacme
> wget -O - https://github.com/ndilieto/uacme/archive/upstream/latest.tar.gz | tar zx -C uacme --strip-components=1
> cd uacme
> ./configure
> make
> sudo make install
> cd ..

Then move your real HTTPS server to port 4443 which doesn't need to be open to the outside (only ualpn will connect to it) and set it up to accept the PROXY protocol:

Then lauch ualpn in server mode

> sudo ualpn -v -d -u nobody:nogroup -c 127.0.0.1@4443 -S 666

Then install certbot 1.7.0 or later

> git clone https://github.com/certbot/certbot
> cd certbot
> python tools/venv3.py
> source venv3/bin/activate
> cd ..

Then download and install this plugin:

> git clone https://github.com/ndilieto/certbot-ualpn
> cd certbot-ualpn
> python setup.py install
> cd ..

And finally try obtaining your certs:

> certbot --agree-tos \
    --register-unsafely-without-email \
    --staging \
    -a ualpn \
    -d www.example.com certonly

This plugin only supports authentication, since it is assumed that the administrator will either install the certificate manually, or use a different Certbot installer plugin.