how do i aget tls-alpn to work with multiple sites?

[tonyguadagno]

hi, i am starting to use this on several IIS servers (2022) and i need to use TLS auth because i am not opening up port 80. i have 2 sites on a server and the first site has a cert from godaddy. i want to use letscrypt and tls-alpn on the second site but when i configure it i get this result:

Plugin Host created 1 order
 [test.colorpathsync.com] Authorizing...
 [test.colorpathsync.com] Authorizing using tls-alpn-01 validation (SelfHosting)
 Unable to activate TcpClient, this may be because of insufficient rights or another application using port 443
 [test.colorpathsync.com] Error preparing for challenge answer
 [test.colorpathsync.com] Deactivating pending authorization

is it complaining because there is a web site on 443 and the tcpclient cannot use port 443? how do i use tls-alpn in this situation (or any situation where there is more than one https site)?

thanks for your time in advance!

[WouterTinus]

The only way to do this is to temporarly shut down the webserver whenever the certificate needs to be renewed. If you're willing to take the availability hit for that, you can configure a pre- and post-execution scripts to automate this: https://www.win-acme.com/reference/settings.

Generally TLS-ALPN-01 is not widely used as a validation method because of exactly this issue. DNS validation is the best practice.

[tonyguadagno]

hi, thanks for the reply. thats a shame. i work a lot with apache and i use mod_md (https://httpd.apache.org/docs/2.4/mod/mod_md.html) . apache seems to allow tls-alpn to work while many other sites are using port 443.

too bad or IIS (and us).
thanks

[WouterTinus]

Yes I suppose that if you are the webserver, it becomes somewhat easier to implement this 😄. For port 80 Microsoft has some very neat port sharing issues that we can use for our self-hosting validation option, but we can't do the same for 443 and it doesn't like it will ever be, given Microsofts lack of focus on IIS and Windows-only features in .NET.

[webprofusion-chrisc]

If you really wanted to do it you could just use Apache then reverse proxy back to IIS (assuming you still need it, listening on other ports).

Regarding port 80, ports are just ports and certain ones are not more or less secure than others - if you just have no listeners bound to port 80 then there's nothing to cause a security issue. That way you can still use http validation because win-acme in self-hosting mode will only listen when it needs to.

[tonyguadagno]

webprofusion-chrisc, thats a good point. i was thinking that you had to have port 80 bound to at least one site (default) but if that is not the case, then that would be a good solution.

thanks for pointing that out