How to stop using TLS-SNI-01 with Bitnami WordPress


#1

Hi,

I’m using Bitnami WordPress with NGINX and SSL Stack For Google Cloud Platform. It uses a Lego package…Let’s Encrypt client and ACME library written in Go.

I have several websites using this above setup. I received an email “Action required: Let’s Encrypt certificate renewals” for only ONE of my current websites.

So I have two questions:

1 - How do I know if my setup is using “TLS-SNI-01”? Is there a way to verify? If I only received one email for one domain, does this mean the other ones are fine?

2 - How do I stop using “TLS-SNI-01” for the above mentioned setup? Do I simply upgrade the Lego package?

Thank you.


#2

Does their documentation show if/where there is a log file?
If so, I would first look there.

[or how to add more detail to such a log file (if needed)]


#3

Did you figure it out ?


#4

No I did not. I’m not able to find any documentation on how to update the Lego package. If at one point my website’s encryption stops working, I will attempt a reinstall of the entire package using the most current version.

However, I did find a tool that can be used to test a website’s encryption…Let’s Debug (https://letsdebug.net/). According to this tool, my website is fine and is using HTTP-01 as a validation method.

I will see what happens on February 13th…thank god it’s not a Friday!!!


#5

Nothing will “happen” on the 13th.
Time will WONT stop.
[this is NOT Y2K all over again]

The 13th only marks the beginning of a change (which has now been postponed to March).
The “change” will NOT make currently valid certs instantly expire.
Expiration dates will not change.
Unless your certs actually expires on the 13th, that is not the actual date of concern for you.
That date (moved to March) only marks the day you must start renewing via the new renewal method (HTTP-01).


#6

I think you might have misinterpreted what Let’s Debug is telling you. It performs tests that indicate whether your site could use HTTP-01 as a validation method (with respect to publicly-visible things like firewalls or DNS configuration, which often block people from using validation methods successfully). But Let’s Debug can’t tell if you are using HTTP-01, in the sense of whether your client software is currently configured to use it.


#7

According to its changelog, lego added support for TLS-ALPN-01 in version 1.1.0 and made some fix to it in 1.2.0, so that and newer versions should be able to use that challenge, which works on port 443 just like TLS-SNI-01 did, so you don’t have to worry about firewalls and ports etc.

However, version 2.0.0 made some changes to the command-line interface, so if you upgrade to that (or a later version) you may also have to update your cron job to make sure it continues working.

Bitnami provides a tutorial for getting Let’s Encrypt certificates with lego. If you previously followed that tutorial, then repeating Step 1 should upgrade lego to the latest version, and repeating Step 5 should fix your cron job in case it was affected either by the change in the command line format or by the new version of lego being installed to a different location. (Replace the old cron job with the new one, of course).