TLS-SNI-01 end-of-life

jmuessig · 2019-01-18 13:11:47 UTC

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hydrophase.com

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.03 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Please forgive my ignorance. I set up the certificates originally, likely through some kind of tutorial, and they’ve been on autopilot since. I’d really appreciate any guidance as to how to update whatever it is I need to update to fix the EOL issue. I have root CLI access. Thanks much in advance!!!

JuergenAuer · 2019-01-18 13:15:41 UTC

Hi @jmuessig

your certificate is ~~ new

CN=hydrophase.com
	09.12.2018
	09.03.2019
	hydrophase.com, www.hydrophase.com - 2 entries

So it’s not a critical problem.

Check your config file ( /etc/letsencrypt/renewal) if there is tls-sni used.

Or try to renew your certificate with

--preferred-challenges http

jmuessig · 2019-01-18 13:23:56 UTC

Thanks much for the assistance, JuergenAuer!

This is what is in my config file, I don’t see any mention of TLS?

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/hydrophase.com
cert = /etc/letsencrypt/live/hydrophase.com/cert.pem
privkey = /etc/letsencrypt/live/hydrophase.com/privkey.pem
chain = /etc/letsencrypt/live/hydrophase.com/chain.pem
fullchain = /etc/letsencrypt/live/hydrophase.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account =

JuergenAuer · 2019-01-18 13:26:16 UTC

Your certbot looks old. Perhaps you should update.

I am missing an information about the validation method. Perhaps your config is so old, this information is missing.

jmuessig · 2019-01-18 14:11:40 UTC

I updated certbot to 0.28.0 with “sudo apt-get dist-upgrade”. Is there a way to regenerate the configuration files?

jmuessig · 2019-01-18 14:47:29 UTC

I ran “certbot renew --dry-run” and it produced this output. Since it says “http-01 challenge”, does this mean I do not have the TLS-SNI-01 domain validation?

Processing /etc/letsencrypt/renewal/hydrophase.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hydrophase.com
http-01 challenge for www.hydrophase.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hydrophase.com/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hydrophase.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

jmuessig · 2019-01-21 13:48:20 UTC

Help, please? I think I have the TNS-SNI-01 validation issue solved (please see post directly above), but I would really appreciate a brief confirmation of this by anyone with knowledge, please. Thanks much!

JuergenAuer · 2019-01-21 14:43:24 UTC

Create a new certificate, then you know it.

rg305 · 2019-01-21 18:44:29 UTC

To clarify further:
Create a brand new certificate (not just a renewal) and then you will surely know.

jmuessig · 2019-01-21 20:18:12 UTC

Thanks much, guys.

Idiot question here, but would I do that with certbot as I did originally? Will the new certificate overwrite the old one? or do I need to revoke or delete it first?

JuergenAuer · 2019-01-21 20:38:56 UTC

It’s a normal renew, don’t revoke the old certificate.

The old will expire, then it’s dead.

jmuessig · 2019-01-21 20:47:58 UTC

Thanks JuergenAuer!

So, I could just run “certbot --apache”, select my domains, and this will create new certificates?

JuergenAuer · 2019-01-21 20:51:03 UTC

If you change your configuration badly, then it will not work.

So the only correct answer: I don’t know it.

Do it. Then you will see, if it works.

PS:

Since I have startet my tool https://check-your-website.server-daten.de/ , I see so much terrible configurations.

It’s impossible to say what will happen in a few weeks.

jmuessig · 2019-01-21 20:57:02 UTC

congrats on your tool, JuergenAuer!

I think everything went well. Below is the new .conf file, does this look correct, as far as you can tell?

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/hydrophase.com
cert = /etc/letsencrypt/live/hydrophase.com/cert.pem
privkey = /etc/letsencrypt/live/hydrophase.com/privkey.pem
chain = /etc/letsencrypt/live/hydrophase.com/chain.pem
fullchain = /etc/letsencrypt/live/hydrophase.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = ___
server = https://acme-v02.api.letsencrypt.org/directory