tls-alpn-01 failures - "Required extension OID 1.3.6.1.5.5.7.1.31 is not present" - sending fallback instead of challenge response certificate #377
Description
It appears that tls-alpn-01 is tripping over an authorization layer in httpd. I ran into this back in 2020, but didn't pursue. I recently hit it again - this time with an installation on a new server.
Environment:
Linux andreas.sb.litts.net 6.11.4-301.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Oct 20 15:02:33 UTC 2024 x86_64 GNU/Linux
Apache/2.4.63 (Fedora Linux)
Server built: Jan 24 2025 00:00:00
dnf list --installed | grep -P 'httpd|mod_md'
fedora-logos-httpd.noarch 38.1.0-6.fc41 fedora
httpd.x86_64 2.4.63-1.fc41 updates
httpd-core.x86_64 2.4.63-1.fc41 updates
httpd-filesystem.noarch 2.4.63-1.fc41 updates
httpd-tools.x86_64 2.4.63-1.fc41 updates
mod_md.x86_64 1:2.4.26-2.fc41 fedora
Talking to Let's Encrypt (production). tls-alpn-01 is rejected and mod_md logs an error. Retries cause the same error. I have .job files (for another host) from 2020 in which this went on until I disabled mod_md.
Here is the reported error - formatted for readability. Note the 403 status (I added the >>>>, line breaks and white space);. I believe that the "missing OID" is bogus (a result of the 403).
I don't understand why there should be a 403 response, since tls-alpn-01 does not send application data (just a handshake). Perhaps mod_md is allowing authorization to proceed as if there's a request for /?
http-01 works for this configuration, so that hook is doing the right thing.
[md:error] [pid 9187:tid 9188] ACME server authz: challenge 'invalid' for 2025web.andreasvonhuene.com at
https://acme-v02.api.letsencrypt.org/acme/authz/2258775985/483827049455.
Exact response was: {"identifier": {
"type":"dns", "value":"2025web.andreasvonhuene.com"},
"status":"invalid",
"expires":"2025-03-09T18:37:33Z","
challenges":[ {
"type":"tls-alpn-01",
"url":"https://acme-v02.api.letsencrypt.org/acme/chall/2258775985/483827049455/cFYv7Q",
"status":"invalid",
"validated":"2025-03-02T18:37:34Z",
"error":{
"type":"urn:ietf:params:acme:error:unauthorized",
"detail":"Incorrect validation certificate for tls-alpn-01 challenge.
Requested 2025web.andreasvonhuene.com from [2001:470:8f95:941::83]:443.
Received certificate with unexpected extensions: \\"Required extension OID 1.3.6.1.5.5.7.1.31 is not present\\"",
>>>> "status":403},
"token":"keIb6FABrtdjwRdTFHcu-pOx6E16aMr-jwC1fvWEBOI",
"validationRecord":[{"hostname":"2025web.andreasvonhuene.com",
"port":"443",
"addressesResolved":["96.233.62.60",
"2001:470:8f95:941::83"],
"addressUsed":"2001:470:8f95:941::83"}]}]}
[md:error] [pid 9187:tid 9188] (22)Invalid argument: md[2025web.andreasvonhuene.com]
while [Monitoring challenge status for 2025web.andreasvonhuene.com]
detail [domain authorization for 2025web.andreasvonhuene.com failed, CA considers answer to challenge invalid.]
The relevant configuration snippets (expanded some macros, removed false conditionals) are:
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<IfModule mod_md.c>
# LogLevel md:debug
MDCertificateAgreement accepted
<MDomain 2025web.andreasvonhuene.com>
MDContactEmail hostadmin@andreasvonhuene.com
MDPrivateKeys secp384r1 rsa4096
# removing tls-alpn-01 allows issue
MDCAChallenges tls-alpn-01 http-01
</MDomain>
MDCertificateStatus off
# LE discontinuing stapling 2025
MDStapling off
MDStapleOthers off
# Fedora's location
MDStoreDir "state/md"
# Redirect http to https ("permanent" also sends hsts)
MDRequireHttps temporary
</IfModule>
# Port 80 is forwarded from 96.233.62.60 (shown in the logs)
Listen 192.168.148.83:443
Listen [2001:470:8f95:941::83]:443
Listen 192.168.148.83:80
Listen [2001:470:8f95:941::83]:80
<VirtualHost 192.168.148.83:80 [2001:470:8f95:941::83]:80>
ServerName 2025web.andreasvonhuene.com
ServerAlias www.2025web.andreasvonhuene.com andreas.sb.litts.net
ServerAdmin webmaster@andreasvonhuene.com
# Note: mod_md config will redirect all http to https
DocumentRoot "/var/www/html/avh"
Options -Indexes
</VirtualHost>
<VirtualHost 192.168.148.83:443 [2001:470:8f95:941::83]:443>
ServerName 2025web.andreasvonhuene.com
ServerAlias www.2025web.andreasvonhuene.com andreas.sb.litts.net
ServerAdmin webmaster@andreasvonhuene.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
<IfModule mod_http2.c>
Protocols h2 h2c http/1.1 acme-tls/1
H2ModernTLSOnly on
H2Push on
</IfModule>
<IfModule !mod_http2.c>
Protocols http/1.1 acme-tls/1
</IfModule>
SSLProtocol all -SSLv3
SSLHonorCipherOrder on
DocumentRoot "/var/www/html/avh"
Options -Indexes
</VirtualHost>
<Directory "/var/www/html/avh">
# This expands to a <requireany> Require ip <internal addresses> || Basic: valid-user || all denied
# E.g. nothing is accessible from outside (N.B. The log entry above did not allow Basic auth.)
# You can probably reproduce with just `require all denied`
use RequireSBHostOrPassword ...
</Directory>