TLS-SNI-01 email may have been sent to people who already upgraded


#1

I received the email saying my self-hosted Ubuntu server used TLS-SNI-01 on 2018-11-28. I followed the link to the instructions on this site, but could not find anything wrong with my server. Certbot version is 0.28.0. There is no mention of tls-sni-01 in my config files. The results of certbot renew --dry-run indicate all renewals succeeded using http-01 challenge.

Neither the email nor the pinned topic here reflect this situation. It appears the email was generated in error, or the Ubuntu PPA (updated 2018-12-14) has already solved this problem.


#2

Hi @miqrogroove

then it’s ok. If --dry-run works, you should wait.

Check the expiration date of your certificate, renew should start 30 days before expiration.

If you see that doesn’t work, then ask again.


#3

That’s probably what happened. Additionally, Let’s Encrypt disabled TLS-SNI-01 entirely on the staging environment, so certbot renew --dry-run will never use it now.


#4

Agreed. So the problem is not with the client. The problem is that I’m getting an e-mail saying I need to update my client’s validation method when that is not currently true.


#5

You’re right.

Let’s Encrypt can’t really be sure that you have upgraded your client – or, all of your clients.

Plus, newer versions of Certbot can still be forced to use TLS-SNI-01.

Maybe the email should have used different language, but false positives were always going to happen. And they’re better than false negatives.


#6

Perhaps @bmw could update the Certbot pin with that info. At least to mention the possibility that the client was already updated and fixed, but after the system could detect it.


#7

The system can’t detect what version you are using - when compared to what version you did use last to get a cert.
Any new use would (if successful) get a new cert - which would not remove then fact that the previous cert was obtained with an older version and will soon be expiring.
Even if they contain the same name(s) and are from the same IP and from the same account - there is no way to know they cam from the same system, nor if the newer version replaced the older version.
[What if you installed to second client on the same system? One could be new and old could be old.]
So, you see, there is no real way to know (from outside your own system) which version of which client is currently in use.


#8

That’s a good suggestion, @miqrogroove! We’ll update the pinned post.


#9

Yes it can detect this by waiting for the 3-month certificate expiry period after the software update has been pushed. There could still be corner cases, but I imagine it would have been much smoother than blasting out emails a month after the patch.


#10

You’re right. Waiting would’ve made an already long process even longer, though.


#11

Hindsight is 20/20.