Is TLS-SNI-01 still usable


#1

My domain is: tintaglia.hd.free.fr
I can be root on the machine behind it, and am running apache.
I do not have control over DNS, and would very much prefer keeping port 80 blocked by my router.

Following recent emails about TLS-SNI-01 getting deprecated, I followed these instructions and upgraded certbot to 0.28.0

My certificate did not expire yet, but now

sudo certbot renew --dry-run

is failing with a timeout, apparently using http-01 to port 80.
I read somewhere the deprecation is still allowing renewals, so I thought I’d fallback to tls-sni-01 while tls-sni-03 is not available. But this also fails:

> sudo certbot renew --dry-run --preferred-challenges tls-sni-01  
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tintaglia.hd.free.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (tintaglia.hd.free.fr) from /etc/letsencrypt/renewal/tintaglia.hd.free.fr.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/tintaglia.hd.free.fr/fullchain.pem (failure)

Is there something I can do, short of opening port 80 ?


#2

Hi @Gnur

tls-sni-01 - validation is deactivated on the test system. So that can’t work.

There is no tls-sni-03.

Open port 80. This isn’t a security problem. You can add a redirect http -> https, so port 80 sends only redirects.


#3

I don’t know if your site actually needs to be publically available, or if it is just something for you personally. But most people don’t add the https:// part needed for HTTPS manually in the address bar. And without https:// (or HSTS preloading), a site blocking port 80 won’t work at all.


#4

It’s 1 year old, but on that page was mentioned “The IETF ACME group is working to develop a followup TLS-SNI-03 validation method”.

I don’t know much about the “attack patterns”, but I figured having 80 open could at least increase traffic, if not add actual vulnerabilities (I think that’s why I closed it in the first place, seeing lots of attempts. But that may be the same with https).


#5

This eventually turned into TLS-ALPN-01, which Certbot can’t support (though a few other clients do, if you’re willing to briefly take down your web server).

You may be interested in this document about allowing port 80: https://letsencrypt.org/docs/allow-port-80/.


split this topic #6

A post was split to a new topic: Timeout after connect switching to HTTP-01


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.