How to resolve TLS-SNI deprecation


#1

Can you please give me detailed instructions on how to resolve this?


How to fix TLS-SNI deprecation
Updates on TLS-SNI deprecation email
#2

Hi,

We’ll need more information on what client you’re using and what operating system. Please also see my latest post - we’re working on some updates.

Thanks,
Jacob


#3

Thank You, I’m not an expert here my operating system is Ubuntu 16.05.5 LTS. Will a failure to renew cause my website to be unreachable? I’m using it as a moodle server and am afraid my online course will go offline right in the middle of the course.


#4

You should check the expiration date of your certs (especially such a critical one).
If any are due for renewals soon, you should “test” the renewal (for example: with --dry-run) to understand what will happen when that day comes.
Providing you now the most amount of time to deal with any renewal problem(s) that may be coming.


#5

Are you using certbot or certbot-auto to renew? How did you initially set up your certificate?

A failure to renew will indeed cause your site to be unreachable, but renewal only needs to happen every 60 days. You can look up your certificate name at https://crt.sh/ and check the “NotAfter” column to see when it expires.


#6

Hi: I’m sorry, I installed let’s encrypt 2 or 3 years ago on my site and have never renewed a certificate manually so I guess I’m running certbot-auto? My not after is 4/10/2019


#7

Please show:
sudo crontab -l
systemctl list-timers

[one of those two should show how the renewals are being done]


#8

No problem, and no need to apologize. You’re doing great. :slight_smile:

Excellent, so you have at least that long to get things sorted.

You can see what cronjobs you have running by using:

crontab -l

sudo crontab -l

ls -l /lib/systemd/system/certbot.timer

If you have certbot-auto on any of those, you should be fine. certbot-auto automatically upgrades itself, and the latest version supports the http-01 challenge.

If instead you have certbot, you may need to manually upgrade. Probably the most straightforward thing to do is go to https://certbot.eff.org/ and follow the instructions there for your specific web server and OS.


#9

Thanks for all your help, I think I got it resolved this way. I just updated everything on my ubuntu box by running

sudo apt-get update
sudo apt-get full-upgrade

Then I tested it with,

sudo certbot renew --dry-run

No errors came up and I saw that HTTP-01 was tested so I think I’m good to go.
The only issue is when I test the site with Let’s Debug it worked this morning but then didn’t work later this afternoon when I retested so that’s what made me panic. I think the Let’s Debug and Let’s Encrypt sited are just getting swamped this afternoon. Does this sound reasonable.
Dave


#10

Terrific!

Can you elaborate on what type of error you saw? Most likely if this was due to too much traffic at Let’s Debug, you’d see a 500 error.


#11

Let’s Debug worked for me this morning testing HTTP-01 and all was green. Then this afternoon it didn’t work and I kept retesting and it worked one other time again. After that I continued retesting and it gave me errors like

InternalProblem
An internal error occurred while checking the domain
Failed to query certwatch database to check rate limits: dial tcp: i/o timeout

Dave


#12

Ah, that does sound like a potential load problem in Let’s Debug. Thanks for the additional detail!


#13

Thanks for your help. I’ll let you go to help someone else.
Dave


#14

At Let’s Debug, I kill any queries to crt.sh’s database that take longer than 10 seconds (which is what we do to check rate limits).

This is in order to prevent overloading crt.sh.

I should probably re-categorize that warning as something less scary, sorry.


#15

A post was split to a new topic: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA


#16

Hi,

I’ve just followed the instructions on this thread, as I’m in the same boat as dbnawrocki.

After updating my Ubuntu box I ran "sudo certbot renew --dry-run and got a “Congratulations, all renewals succeeded”. It looked to be using http-01 challenge?

Does this mean the situation is now resolved?

Thanks

Darren.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.