TLS-SNI-01 challenge handshake failure after 11.08


#1

Hi,
we’re an ISP requesting certificates for our customers and use the TLS SNI challenge. Our certificate request process (using TLS SNI, we used DNS before) was deployed to prod on 4th May (may the force be with you ;-). This process requested over two thousand certificated successfully and stopped working yesterday (11.08.2016.) with no changes since said day in May.

We already noticed error rates going up before this but we can’t be sure that the domains were not misconfigured.

We investigated the sudden change and have come up with the error message “Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge”. There is a “status” code too that says 400.

Interesting thing is that the connection to the TLS terminator (bud-tls in our case) works and the challenge certificate is successfully returned. We confirmed that via the TLS terminator logs (http://paste42.de/203a4bc665347f8782f95d4bd5909bdb/10906/#) and openssl s_client (http://paste42.de/ede21b0b7220483514eb70bf063b1e88/10905/#).

I noticed that the connection was closed by the TLS terminator after a “sslv3 alert bad certificate” / handshake failure.

Our currently configured protocols and cipers are listed here: https://www.ssllabs.com/ssltest/analyze.html?d=system.lima-city.de&s=91.216.248.35&latest

We have not deployed any changes to the TLS terminator in the last months so it looks to me like Let’s Encrypt changed something and our process stopped working because of it. Do you have any idea what could be the problem?


#2

The problem seems to be fixed now, tested after the deploy of boulder a550b08. Can you confirm this might have been the problem?


#3

Hi @phillipp,

It’s possible - the build that was reverted was our first attempt at running Boulder built with Go 1.6. An unrelated issue prompted the rollback.

The fact that your issues began yesterday when that build was deployed and ceased when we returned to a Go 1.5 build is certainly troubling.

Could I ask you to file a Boulder issue with the paste logs and details you included in your community forum post?


#4

Thanks @cpu for checking this out so fast :slight_smile:

Sure, I’ll open an issue so you can investigate.

Thanks for the help!


#5

For folks following along at home the root cause was identified in Boulder issue #2124.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.