Apparent false TLS-SNI-01 notification emails


#1

It seems like our clients are getting the TLS-SNI-01 update warning notifications, but none so far seem to have that as the active authentication method. The authenticator configs are all listed as nginx, but they’re still getting the emails about needing to update.

Am I missing something here?

Example domain is: https://sacredplaces.org/

I ran this command: certbot renew --dry-run

It produced this output:

# Options used in the renewal process
[renewalparams]
account = ACCOUNT_ID_HERE
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = nginx
installer = nginx
...skipping...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sacredplaces.org
Waiting for verification...
Cleaning up challenges

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/sacredplaces.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

My web server is (include version): nginx

The operating system my web server runs on is (include version): CentOS 7

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1 (other clients have been on >0.28)

Out of caution we’ll be updating this particular client, but all other signs point to them being good to go already.


#2

If this is simply due to over-caution, as suggested here, it’d help if the email wasn’t worded as so certain. There’s some “action may be required” in there, but also, “You need to update your ACME client to use an alternative validation
method.”


#3

Certbot’s nginx plugin supports both HTTP-01 and TLS-SNI-01 validation.

Before version 0.28.0, if the CA supports both, Certbot prefers TLS-SNI-01 by default.

certbot renew --dry-run” is using HTTP-01 because Let’s Encrypt recently disabled TLS-SNI-01 on their staging environment. The important thing is that HTTP-01 works – unless you override or upgrade it, Certbot will continue to use TLS-SNI-01 to renew your certificates until Let’s Encrypt disables it, and then switch to HTTP-01 without issue.


#4

This makes sense. Thanks!