If HTTP/TLS-ALPN challenge fails, try the other one #34
Assignees
Labels
feature request
Request for new feature or functionality
Comments
|
So actually, lego used to randomize the challenge it used, rendering this failover unnecessary, but as of a few months ago, they are now deterministic: https://github.com/go-acme/lego/blame/55572c26060b91518381fe99910dfacf46035544/challenge/resolver/solver_manager.go#L64 Rather than change something in CertMagic, I believe the best and correct way to fix this is to address it in lego directly. go-acme/lego#842 Update: lego is taking too long / disagreement of philosophies or something, so I just went ahead and put it into CertMagic instead. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to have changed?
Explicitly try the other challenge type if one of HTTP or TLS-ALPN challenges fail.
Why is this feature a useful, necessary, and/or important addition to this project?
Some sites are behind a CDN that terminates TLS, so there is no way the TLS-ALPN challenge will work, and most site owners don't think to disable it in those cases.
What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?
Disable the challenge that won't work. That should still be done probably, to avoid unnecessary work, but at least with this feature implemented, it will be a good failover fix.
Please link to any relevant issues, pull requests, or other discussions.
https://saas.transistor.fm/episodes/worst-day-ever
The text was updated successfully, but these errors were encountered: