TLS-SNI-01 end of life / HTTP-01 with version 0.22


#1

First I would like to thank all who contribute to letsencrypt. And second I apologize to ask questions you might see so many.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hondadeauville-forum.de

I ran this command: certbot renew --dry-run

It produced this output:

Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hondadeauville-forum.de
http-01 challenge for www.hondadeauville-forum.de
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hondadeauville-forum.de/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/hondadeauville-forum.de/fullchain.pem (success)

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.4

My hosting provider, if applicable, is: Host Europe

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): none

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.22.2

I got an email with some information about the end of TLS-SNI-01 validation.

The output of the renew process show only http requests. So I assume I´ m save with it.

The information about the version 0.28 or higher irritates me a little bit.

Peter


#2

Hi @pitter,

you use http-01 - validation, so it’s good.

That works, ok.

There are a lot of older Certbots, they use tls-sni-validation. Earlier that was the preferred validation.

But it’s possible to use an old Certbot with http-01 - validation, then no action is required.

You have a new certificate (created 2019-01-18), so check in ~~ 2 months if the renew works. If yes, ignore these tls-sni-problems.


#3

And those two hostnames are the only ones you’ve got a Let’s Encrypt certificate for? If so, I too assume you’re good to go.

I can understand that. Perhaps you instructed certbot to use the http-01 challenge when you got the certificates in the first place. In hindsight, that was a very good decision.

Unfortunately, not everyone is so lucky. In stead of instructing everybody to re-issue their certificates with extra options, Let’s Encrypt seems to have chosen to instruct everybody to update to at least 0.28, so no other manual configuration is necessary. Also, the http-01 challenge was introduced in the apache plugin in certbot 0.21. So anyone with an earlier version would need to update anyway when using the apache authenticator. (Note: one can always seperately use the webroot authenticator plugin with the apache installer plugin. But instructing everyone to do so, probably would have flooded this forum with hundreds of threads an hour :stuck_out_tongue:)


#4

Hey, thanks a lot for the quick and helpful answers.

To be complete, there are two hostnames (same server) with the same result.


Performing the following challenges:
http-01 challenge for goes-to.com
http-01 challenge for www.goes-to.com


Performing the following challenges:
http-01 challenge for deauville-meets-deauville.com
http-01 challenge for www.deauville-meets-deauville.com


Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hondadeauville-forum.de/fullchain.pem (success)
/etc/letsencrypt/live/goes-to.com/fullchain.pem (success)
/etc/letsencrypt/live/deauville-meets-deauville.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry


#5

Seems you’re good to go to me :slight_smile: I have no idea why you received the e-mail if you’re not using the tls-sni-01 challenge. I myself didn’t receive anything.


#6

I understand that, you show a valid solution.

My problem is time for now and I have no valid test server for this specific topic.

Again thanks
Peter


#7

If you have the PPA enabled, upgrading to 0.28.0 should be as easy as “sudo apt update” and “sudo apt upgrade” or “sudo apt full-upgrade”.


#8

I also received an email asking to update from ACME TLS-SNI-01 domain validation this morning.

However, I completed the update process to HTTP -01 on the weekend and when I ran dry run, everything was successful.

I don’t why the email arrived.

I am ignoring the email for now unless I need to do something else?
Thank you.


#9

If you have more than one cert, then you can test/compare one method on one cert and another method on the other cert (in the same system).
[yes that is using production for testing - but if you know what you’re doing, 30 days is enough time to get it right before either will expire]


#10

Nope, you’re good. The emails were sent to anyone with a TLS-SNI validation in the last 60 days; we didn’t subtract out the people who had a more recent HTTP-01 validation.


#11

Great thanks.
(I have to mention the support in these threads is great. This is a very valuable service you provide. It’s prompted me to make a donation.)


#12

me too :slight_smile: