The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01

[cresse2200]

Steps to reproduce

I was trying to renew my certs, using the same skript as last times. This time I got the error that tls-alpn-01 is not a supported validation type. The readme still mentions standalone tls, therefore I think this is an error somewhere and not dropped support. I can not find anything about dropped support on lets encrypt for tls-alpn either.

My last working renew was on 25 Nov 2021. I enabled auto-upgrade, therefore it worked with the newest version in november, but the version I have now does not.

Debug log

/root/.acme.sh/acme.sh --log --cron --home /root/.acme.sh

[Wed 26 Jan 07:25:37 CET 2022] Running cmd: cron
[Wed 26 Jan 07:25:37 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:38 CET 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:38 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:38 CET 2022] ===Starting cron===
[Wed 26 Jan 07:25:38 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:38 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:38 CET 2022] GET
[Wed 26 Jan 07:25:38 CET 2022] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
[Wed 26 Jan 07:25:38 CET 2022] timeout=
[Wed 26 Jan 07:25:38 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 26 Jan 07:25:43 CET 2022] ret='0'
[Wed 26 Jan 07:25:43 CET 2022] Already uptodate!
[Wed 26 Jan 07:25:43 CET 2022] Upgrade success!
[Wed 26 Jan 07:25:43 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:43 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] Auto upgraded to: 3.0.2
[Wed 26 Jan 07:25:43 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:43 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] _stopRenewOnError
[Wed 26 Jan 07:25:43 CET 2022] _set_level='2'
[Wed 26 Jan 07:25:43 CET 2022] di='/root/.acme.sh/XXX6.firewall-gateway.de/'
[Wed 26 Jan 07:25:43 CET 2022] d='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:43 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:43 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] DOMAIN_PATH='/root/.acme.sh/XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:43 CET 2022] Renew: 'XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:43 CET 2022] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] Using config home:/root/.acme.sh
[Wed 26 Jan 07:25:43 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] _main_domain='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:43 CET 2022] _alt_domains='XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:43 CET 2022] Le_NextRenewTime='1642979676'
[Wed 26 Jan 07:25:43 CET 2022] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed 26 Jan 07:25:43 CET 2022] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed 26 Jan 07:25:43 CET 2022] GET
[Wed 26 Jan 07:25:43 CET 2022] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed 26 Jan 07:25:43 CET 2022] timeout=
[Wed 26 Jan 07:25:43 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 26 Jan 07:25:49 CET 2022] ret='0'
[Wed 26 Jan 07:25:49 CET 2022] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed 26 Jan 07:25:49 CET 2022] ACME_NEW_AUTHZ
[Wed 26 Jan 07:25:49 CET 2022] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 26 Jan 07:25:49 CET 2022] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed 26 Jan 07:25:49 CET 2022] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed 26 Jan 07:25:49 CET 2022] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed 26 Jan 07:25:49 CET 2022] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed 26 Jan 07:25:49 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 26 Jan 07:25:49 CET 2022] _on_before_issue
[Wed 26 Jan 07:25:49 CET 2022] _chk_main_domain='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:49 CET 2022] _chk_alt_domains='XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:49 CET 2022] Le_LocalAddress
[Wed 26 Jan 07:25:49 CET 2022] d='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:49 CET 2022] Check for domain='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:25:49 CET 2022] _currentRoot='alpn'
[Wed 26 Jan 07:25:49 CET 2022] Standalone alpn mode.
[Wed 26 Jan 07:25:50 CET 2022] _checkport='443'
[Wed 26 Jan 07:25:50 CET 2022] _checkaddr
[Wed 26 Jan 07:25:50 CET 2022] Using: ss
[Wed 26 Jan 07:25:50 CET 2022] d='XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:50 CET 2022] Check for domain='XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:50 CET 2022] _currentRoot='alpn'
[Wed 26 Jan 07:25:50 CET 2022] Standalone alpn mode.
[Wed 26 Jan 07:25:50 CET 2022] _checkport='443'
[Wed 26 Jan 07:25:50 CET 2022] _checkaddr
[Wed 26 Jan 07:25:50 CET 2022] Using: ss
[Wed 26 Jan 07:25:50 CET 2022] d
[Wed 26 Jan 07:25:50 CET 2022] _saved_account_key_hash is not changed, skip register account.
[Wed 26 Jan 07:25:50 CET 2022] Read key length:
[Wed 26 Jan 07:25:50 CET 2022] _createcsr
[Wed 26 Jan 07:25:50 CET 2022] Multi domain='DNS:XXX6.firewall-gateway.de,DNS:XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:50 CET 2022] Getting domain auth token for each domain
[Wed 26 Jan 07:25:50 CET 2022] d='XXX.firewall-gateway.de'
[Wed 26 Jan 07:25:50 CET 2022] d
[Wed 26 Jan 07:25:50 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 26 Jan 07:25:50 CET 2022] payload='{"identifiers": [{"type":"dns","value":"XXX6.firewall-gateway.de"},{"type":"dns","value":"XXX.firewall-gateway.de"}]}'
[Wed 26 Jan 07:25:50 CET 2022] RSA key
[Wed 26 Jan 07:25:50 CET 2022] HEAD
[Wed 26 Jan 07:25:50 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed 26 Jan 07:25:50 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Wed 26 Jan 07:25:56 CET 2022] _ret='0'
[Wed 26 Jan 07:25:56 CET 2022] POST
[Wed 26 Jan 07:25:56 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 26 Jan 07:25:56 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 26 Jan 07:26:01 CET 2022] _ret='0'
[Wed 26 Jan 07:26:02 CET 2022] code='201'
[Wed 26 Jan 07:26:02 CET 2022] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/111221390/58446124940'
[Wed 26 Jan 07:26:02 CET 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/111221390/58446124940'
[Wed 26 Jan 07:26:02 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/71899358270'
[Wed 26 Jan 07:26:02 CET 2022] payload
[Wed 26 Jan 07:26:02 CET 2022] POST
[Wed 26 Jan 07:26:02 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/71899358270'
[Wed 26 Jan 07:26:02 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 26 Jan 07:26:07 CET 2022] _ret='0'
[Wed 26 Jan 07:26:07 CET 2022] code='200'
[Wed 26 Jan 07:26:07 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/71899358280'
[Wed 26 Jan 07:26:07 CET 2022] payload
[Wed 26 Jan 07:26:08 CET 2022] POST
[Wed 26 Jan 07:26:08 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/71899358280'
[Wed 26 Jan 07:26:08 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 26 Jan 07:26:13 CET 2022] _ret='0'
[Wed 26 Jan 07:26:13 CET 2022] code='200'
[Wed 26 Jan 07:26:13 CET 2022] d='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:26:13 CET 2022] Getting webroot for domain='XXX6.firewall-gateway.de'
[Wed 26 Jan 07:26:13 CET 2022] _w='alpn'
[Wed 26 Jan 07:26:13 CET 2022] _currentRoot='alpn'
[Wed 26 Jan 07:26:13 CET 2022] entry
[Wed 26 Jan 07:26:13 CET 2022] Not a wildcard domain, lets check whether the validation is already valid.
[Wed 26 Jan 07:26:13 CET 2022] Error, can not get domain token entry XXX6.firewall-gateway.de for tls-alpn-01
[Wed 26 Jan 07:26:13 CET 2022] The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01
[Wed 26 Jan 07:26:13 CET 2022] pid
[Wed 26 Jan 07:26:13 CET 2022] No need to restore nginx, skip.
[Wed 26 Jan 07:26:13 CET 2022] _clearupdns
[Wed 26 Jan 07:26:13 CET 2022] dns_entries
[Wed 26 Jan 07:26:13 CET 2022] skip dns.
[Wed 26 Jan 07:26:13 CET 2022] _on_issue_err
[Wed 26 Jan 07:26:13 CET 2022] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Wed 26 Jan 07:26:14 CET 2022] Return code: 1
[Wed 26 Jan 07:26:14 CET 2022] Error renew XXX6.firewall-gateway.de.
[Wed 26 Jan 07:26:14 CET 2022] _error_level='1'
[Wed 26 Jan 07:26:14 CET 2022] _set_level='2'
[Wed 26 Jan 07:26:14 CET 2022] The NOTIFY_HOOK is empty, just return.
[Wed 26 Jan 07:26:14 CET 2022] ===End cron===

[Neilpang]

please try again later. Letsencrypt temporarily disabled tls-alpn today. but it's resumed now.

[cresse2200]

Thanks, I didnt think to look into the service history. They are claiming everything is working again, but I still get the same error.
In https://community.letsencrypt.org/t/changes-to-tls-alpn-01-challenge-validation/170427 they explain the changes as "we no longer support the legacy 1.3.6.1.5.5.7.1.30.1 OID " and "handshake will negotiate TLS version 1.2 or higher."

How can I find out if my acme is able to meet these two conditions?

[beewoolie]

I just had an exchange with someone from LE. He tells me that we're in the 'this is a bug in acme.sh' territory. Could it be, as cresse2200 writes, that we need a small change to acme.sh?

[jprenken]

Sorry about that. This is on the Let's Encrypt side, due to order reuse, not a bug in acme.sh. Details: https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449/116

[cresse2200]

It worked on my site now as well. I thank everyone for the help and working on acme, which is a tool i greatly appreciate.