Delaying the TLS-SNI-01 validation deprecation?


#1

Checking me emails from letsencrypt this is the first I’ve heard about this TLS-SNI-01 deprecation. I’m all for it but it wish I had gotten a little earlier notice.

It’s mentioned this was decided and posted about a year ago but checking my email history I see nothing.

Did I miss some email that was sent out before or was it just posted in some blog post?

If it was never sent out via email a year ago please please PLEASE, next time you plan to deprecate something send out notifications earlier. As it is this notification seems like a “drop everything you planned to do” and fix all your sites immediately.

Also it sure would have been nice to know which sites. I didn’t implement the authentication, I’m using 3rd party libraries so I have no clue if I have to update some or all sites. Of course I can figure that out but you sent the mail only if one of my domains has this issue so you knew the domains. Would there have been any harm in telling me which ones they are?

Anyway, thank you so much for your service.


#2

Hi @greggman

there is no “Letsencrypt newsletter” or something else.

If you want to be up to date, check

https://community.letsencrypt.org/c/api-announcements

There you can find the new things.


#3

Expecting tens of thousands of developers to monitor a blog is not a very good way to run such an important service as letsencrypt.

If they can send out notifications to everyone they are breaking millions of websites in 3 weeks they can just as easily send out notifications earlier


#4

Hi @greggman

Yep, I acknowledge that we should have sent out notifications earlier, and we intended to. We had a number of delays extracting the list of affected users and trying to make sure there was a clear upgrade path for Certbot users, and we let it get later than we should have. My apologies.

Sincerely,
Jacob


#5

It would help immensely for someone like me to mention either:

  1. Which domain is using TLS-SNI-01 or
  2. How can I determine this from the shell

I’ve dug through a couple of /etc/letsencrypt directories (I think I have 5 or 6) and can’t find anything that would suggest the auth method used.

Thanks!


#6

It’s planned: Action required: Let's Encrypt certificate renewals


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.