Is TLS-SNI-01 still usable

Gnur · February 11, 2019, 7:08pm

My domain is: tintaglia.hd.free.fr
I can be root on the machine behind it, and am running apache.
I do not have control over DNS, and would very much prefer keeping port 80 blocked by my router.

Following recent emails about TLS-SNI-01 getting deprecated, I followed these instructions and upgraded certbot to 0.28.0

My certificate did not expire yet, but now

sudo certbot renew --dry-run

is failing with a timeout, apparently using http-01 to port 80.
I read somewhere the deprecation is still allowing renewals, so I thought I'd fallback to tls-sni-01 while tls-sni-03 is not available. But this also fails:

> sudo certbot renew --dry-run --preferred-challenges tls-sni-01  
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tintaglia.hd.free.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (tintaglia.hd.free.fr) from /etc/letsencrypt/renewal/tintaglia.hd.free.fr.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/tintaglia.hd.free.fr/fullchain.pem (failure)

Is there something I can do, short of opening port 80 ?

JuergenAuer · February 11, 2019, 7:19pm

Hi @Gnur

tls-sni-01 - validation is deactivated on the test system. So that can't work.

There is no tls-sni-03.

Open port 80. This isn't a security problem. You can add a redirect http -> https, so port 80 sends only redirects.

Osiris · February 11, 2019, 7:24pm

I don't know if your site actually needs to be publically available, or if it is just something for you personally. But most people don't add the https:// part needed for HTTPS manually in the address bar. And without https:// (or HSTS preloading), a site blocking port 80 won't work at all.

Gnur · February 11, 2019, 7:43pm

It’s 1 year old, but on that page was mentioned “The IETF ACME group is working to develop a followup TLS-SNI-03 validation method”.

I don’t know much about the “attack patterns”, but I figured having 80 open could at least increase traffic, if not add actual vulnerabilities (I think that’s why I closed it in the first place, seeing lots of attempts. But that may be the same with https).

jsha · February 11, 2019, 7:47pm

This eventually turned into TLS-ALPN-01, which Certbot can't support (though a few other clients do, if you're willing to briefly take down your web server).

You may be interested in this document about allowing port 80: Best Practice - Keep Port 80 Open - Let's Encrypt.

mnordhoff · February 11, 2019, 9:26pm

A post was split to a new topic: Timeout after connect switching to HTTP-01

system · March 13, 2019, 9:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgraded certbot renew --dry-run shows it still using tls-sni-01 unless overridden Help	5	2919	February 19, 2019
Trouble renewing using HTTP-01 when last use TLS-SNI-01 Help	6	837	February 20, 2019
Certbot 0.29 tls-sni-01 Help	3	1241	February 22, 2019
Am I OK with TLS-SNI-01? Help	3	586	April 4, 2019
Here's how to resolve the "Action required" / TLS-SNI-01 issue for Apache plugin users Help	8	1512	March 2, 2019

Is TLS-SNI-01 still usable

Related topics