we’re an ISP requesting certificates for our customers and use the TLS SNI challenge. Our certificate request process (using TLS SNI, we used DNS before) was deployed to prod on 4th May (may the force be with you ;-). This process requested over two thousand certificated successfully and stopped working yesterday (11.08.2016.) with no changes since said day in May.
We already noticed error rates going up before this but we can’t be sure that the domains were not misconfigured.
We investigated the sudden change and have come up with the error message “Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge”. There is a “status” code too that says 400.
Interesting thing is that the connection to the TLS terminator (bud-tls in our case) works and the challenge certificate is successfully returned. We confirmed that via the TLS terminator logs (http://paste42.de/203a4bc665347f8782f95d4bd5909bdb/10906/#) and openssl s_client (http://paste42.de/ede21b0b7220483514eb70bf063b1e88/10905/#).
I noticed that the connection was closed by the TLS terminator after a “sslv3 alert bad certificate” / handshake failure.
Our currently configured protocols and cipers are listed here: https://www.ssllabs.com/ssltest/analyze.html?d=system.lima-city.de&s=184.108.40.206&latest
We have not deployed any changes to the TLS terminator in the last months so it looks to me like Let’s Encrypt changed something and our process stopped working because of it. Do you have any idea what could be the problem?