SNI to ALPN migration ubuntu 16.04 nginx

alexj · 2019-01-18 03:38:52 UTC

I received an email about the deprecation of TLS-SNI-01. It didn’t include instructions on how to switch to ALPN. Can someone please help?

My domain is: crawl.project357.org

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

mnordhoff · 2019-01-18 04:02:01 UTC

What ACME client are you using?

You might have to do little more than upgrading it, or it might not support TLS-ALPN validation, and you’d have to consider switching to DNS or HTTP validation, or switching clients.

There’s a list of clients known to support TLS-ALPN at:

alexj · 2019-01-18 04:21:35 UTC

I’m currently using certbot 0.26.1. I am happy to switch to DNS or HTTP validation instead. Whatever can be automated I’m fine with.

rg305 · 2019-01-18 04:26:15 UTC

HTTP validation is probably simpler.
But without full knowledge of your specific renewal process and setup that is just an overall statement.
So I would try that first.

alexj · 2019-01-18 04:34:03 UTC

Thank you. Based on the docs it seems HTTP validation puts a file into my docroot – that would work for me. How do I change to HTTP validation? I can’t see instructions in the docs

galichenkosemyon · 2019-01-18 05:35:58 UTC

You can switch to HTTP validation (though you’re probably already using it (as explained here: Upcoming TLS-SNI Deprecation in Certbot)) by adding flag --preferred-challenges like so:
certbot-auto --preferred-challenges http

mnordhoff · 2019-01-18 05:49:12 UTC

Recent versions of Certbot use HTTP validation by default, unless you override it.

How did you install Certbot? 0.26.1 is newer than what’s available in Ubuntu’s repository but older than the Certbot PPA.

alexj · 2019-01-20 21:50:30 UTC

Thanks for the advice. I’m using the PPA but hadn’t updated. I’ve done so now, so running 0.28.0.

So would updating my cron entry from certbot renew to certbot renew --preferred-challenges http -w /var/www/webroot/ be the right thing to do?

I’m not sure why the validation is not using HTTP. In /etc/letsencrypt/renewal/crawl.project357.org.conf the only renewal params are:

[renewalparams]
authenticator = nginx
account = xxx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx

_az · 2019-01-20 22:08:14 UTC

No need to change your cron entry.

Is not necessary when using the nginx authenticator. This is because the nginx authenticator temporarily embeds the challenge response directly into your nginx config, rather than writing it to your webroot.

-w is only relevant for the webroot authenticator, which you are not using.

As long as Certbot reports the right version (0.28 or higher);

certbot --version

and a regular dry-run does not report any usage of TLS-SNI:

certbot renew --dry-run

then you’re good to go.

alexj · 2019-01-20 22:23:43 UTC

Unfortunately it’s printing TLS-SNI:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/crawl.project357.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for crawl.project357.org
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/crawl.project357.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/crawl.project357.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

_az · 2019-01-20 22:25:49 UTC

Okay. Could you try the suggestions I made in the following post to try track down why it’s choosing that challenge:

alexj · 2019-01-20 22:34:33 UTC

OK.

grep -RE "(pref_challs|challenges)" /etc/letsencrypt/ doesn’t find anything.

certbot renew --dry-run -vvv doesn’t return any reference to pref_challs. The first reference to SNI is:

Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/xxx HTTP/1.1" 200 1433
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1433
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Jan 2019 22:29:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Jan 2019 22:29:33 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "crawl.project357.org"
  },
  "status": "valid",
  "expires": "2019-02-17T03:36:03Z",
  "challenges": [
[...]
    {
      "type": "tls-sni-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxx/xxx",
      "token": "xxx",
      "validationRecord": [
        {
          "hostname": "crawl.project357.org",
          "port": "443",
          "addressesResolved": [
            "13.237.221.101"
          ],
          "addressUsed": "13.237.221.101"
        }
      ]
    },
[...]
  ]
}
Performing the following challenges:
tls-sni-01 challenge for crawl.project357.org
TLS-SNI-01 is deprecated, and will stop working soon.

Is certbot using SNI because the last certificate issued used SNI?

alexj · 2019-01-20 22:35:22 UTC

Actually, something doesn’t look quite right here:

# dpkg --list | grep -E "python.?-certbot"
ii  python-certbot-nginx             0.28.0-1+ubuntu16.04.1+certbot+3           all          transitional dummy package
ii  python3-certbot                  0.28.0-1+ubuntu16.04.1+certbot+4           all          main library for certbot
ii  python3-certbot-nginx            0.25.0-2+ubuntu16.04.1+certbot+1           all          Nginx plugin for Certbot```

_az · 2019-01-20 22:36:25 UTC

Yup. Try upgrade that.

alexj · 2019-01-20 22:39:01 UTC

Success! apt upgrade python3-certbot-nginx fixed this issue:

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/crawl.project357.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for crawl.project357.org

I guess now I wait until a real renewal is required, but hopefully things work fine. Thanks for your help @_az @mnordhoff @galichenkosemyon @rg305