TLS-SNI-01 deprecation mail: which domain(s)?


#1

Like so many others I’ve received the TLS-SNI-01 EOL mail.
Could you be a bit more specific which domain is still using that method?
I use LE on dozens of servers with even more domains. I can’t possibly check them all.


#2

Hi @ulope

then check your config / renew files. If there is a “standalone” (possible) or a “tls-sni” (critical).


#3

Unfortunately, I mostly don’t use certbot.

Isn’t there a way to get a list of all domains tied to a specific email address?


#4

There’s no public way, no. :slightly_frowning_face:

Edit: Wrong emoji! Wrong emoji!


#5

But your other client should have config files with the information which validation method is used.

Or check one of your domains with the test system.


#6

@Juegen, the test system – is that the staging system https://letsencrypt.org/docs/staging-environment/ ? Is this the DNA record or the certbot that we talk about here?


#7

Yes, this is the test system.

With Certbot, use

--test-cert

or

--dry-run

then certbot uses the test system.


#8

Like @ulope, I have a lot of systems to check. If there’s no public list, is there a private list? If not, is it possible to include the list in the notification mail? (I assume you’ll be sending another one or more as the deadline approaches.) Given that this is security-related, it’s safe to assume that this will happen again in the future… and the site owner’s problem will only be worse in the future. This seems like a big usability thing.


#9

As another suggestion, and as I found a jessie system of mine used an antique 0.10.* of certbot, would it be possible to add this to the comms? Check your cerbot and if it is older than x.y.z, remove the distro package and reinstall? Also, it is not helping that auto-renewal will not work and one has to do

–force-renewal
to get a fresh certificate. So, I reckon, an outdated certbot in the distro of choice is the root cause for this? Plus, certbot should also check for the issue, i.e. renew if close to renewal date .OR. outdated CA validation mode.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.