SNI to ALPN migration ubuntu 16.04 nginx

alexj · January 18, 2019, 3:38am

I received an email about the deprecation of TLS-SNI-01. It didn’t include instructions on how to switch to ALPN. Can someone please help?

My domain is: crawl.project357.org

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

mnordhoff · January 18, 2019, 4:02am

What ACME client are you using?

You might have to do little more than upgrading it, or it might not support TLS-ALPN validation, and you'd have to consider switching to DNS or HTTP validation, or switching clients.

There's a list of clients known to support TLS-ALPN at:

alexj · January 18, 2019, 4:21am

I’m currently using certbot 0.26.1. I am happy to switch to DNS or HTTP validation instead. Whatever can be automated I’m fine with.

rg305 · January 18, 2019, 4:26am

HTTP validation is probably simpler.
But without full knowledge of your specific renewal process and setup that is just an overall statement.
So I would try that first.

alexj · January 18, 2019, 4:34am

Thank you. Based on the docs it seems HTTP validation puts a file into my docroot – that would work for me. How do I change to HTTP validation? I can’t see instructions in the docs

galichenkosemyon · January 18, 2019, 5:35am

You can switch to HTTP validation (though you’re probably already using it (as explained here: Upcoming TLS-SNI Deprecation in Certbot)) by adding flag --preferred-challenges like so:
certbot-auto --preferred-challenges http

mnordhoff · January 18, 2019, 5:49am

Recent versions of Certbot use HTTP validation by default, unless you override it.

How did you install Certbot? 0.26.1 is newer than what’s available in Ubuntu’s repository but older than the Certbot PPA.

alexj · January 20, 2019, 9:50pm

Thanks for the advice. I’m using the PPA but hadn’t updated. I’ve done so now, so running 0.28.0.

So would updating my cron entry from certbot renew to certbot renew --preferred-challenges http -w /var/www/webroot/ be the right thing to do?

I’m not sure why the validation is not using HTTP. In /etc/letsencrypt/renewal/crawl.project357.org.conf the only renewal params are:

[renewalparams]
authenticator = nginx
account = xxx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx

_az · January 20, 2019, 10:08pm

No need to change your cron entry.

Is not necessary when using the nginx authenticator. This is because the nginx authenticator temporarily embeds the challenge response directly into your nginx config, rather than writing it to your webroot.

-w is only relevant for the webroot authenticator, which you are not using.

As long as Certbot reports the right version (0.28 or higher);

certbot --version

and a regular dry-run does not report any usage of TLS-SNI:

certbot renew --dry-run

then you're good to go.

alexj · January 20, 2019, 10:23pm

Unfortunately it’s printing TLS-SNI:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/crawl.project357.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for crawl.project357.org
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/crawl.project357.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/crawl.project357.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

_az · January 20, 2019, 10:25pm

Okay. Could you try the suggestions I made in the following post to try track down why it's choosing that challenge:

alexj · January 20, 2019, 10:34pm

OK.

grep -RE "(pref_challs|challenges)" /etc/letsencrypt/ doesn’t find anything.

certbot renew --dry-run -vvv doesn’t return any reference to pref_challs. The first reference to SNI is:

Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/xxx HTTP/1.1" 200 1433
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1433
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Jan 2019 22:29:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Jan 2019 22:29:33 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "crawl.project357.org"
  },
  "status": "valid",
  "expires": "2019-02-17T03:36:03Z",
  "challenges": [
[...]
    {
      "type": "tls-sni-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxx/xxx",
      "token": "xxx",
      "validationRecord": [
        {
          "hostname": "crawl.project357.org",
          "port": "443",
          "addressesResolved": [
            "13.237.221.101"
          ],
          "addressUsed": "13.237.221.101"
        }
      ]
    },
[...]
  ]
}
Performing the following challenges:
tls-sni-01 challenge for crawl.project357.org
TLS-SNI-01 is deprecated, and will stop working soon.

Is certbot using SNI because the last certificate issued used SNI?

alexj · January 20, 2019, 10:35pm

Actually, something doesn't look quite right here:

# dpkg --list | grep -E "python.?-certbot"
ii  python-certbot-nginx             0.28.0-1+ubuntu16.04.1+certbot+3           all          transitional dummy package
ii  python3-certbot                  0.28.0-1+ubuntu16.04.1+certbot+4           all          main library for certbot
ii  python3-certbot-nginx            0.25.0-2+ubuntu16.04.1+certbot+1           all          Nginx plugin for Certbot```

_az · January 20, 2019, 10:36pm

Yup. Try upgrade that.

alexj · January 20, 2019, 10:39pm

Success! apt upgrade python3-certbot-nginx fixed this issue:

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/crawl.project357.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for crawl.project357.org

I guess now I wait until a real renewal is required, but hopefully things work fine. Thanks for your help @_az @mnordhoff @galichenkosemyon @rg305

system · February 19, 2019, 10:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What you need to know about TLS-SNI validation issues API Announcements	1	60696	January 18, 2018
Tls-alpn-01 support in certbot Client dev	4	7777	March 1, 2019
Using port 443 for renewal after TLS-SNI is disabled Help	39	8149	March 13, 2019
How update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) Help	12	3976	February 17, 2019
SNI to ALPN migration help Help	3	588	February 18, 2019

SNI to ALPN migration ubuntu 16.04 nginx

Related topics