TLS-SNI-01 validation is reaching end-of-life


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shafer.ca

I ran this command:grep '^pref_challs.tls-sni-01’ /etc/letsencrypt/renewal/

It produced this output:no oputput

My web server is (include version):Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.26.1


#2

Forget question. It fixed itself when I was gathering info for this question. Sorry :frowning:

Please close or delete.


#3

Hi @gshafer

happy to hear that your switch away from tls-sni validation has worked.

But:

Your configuration is incomplete ( https://check-your-website.server-daten.de/?q=shafer.ca ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
shafer.ca A 52.14.203.38 yes 2 0
AAAA yes
www.shafer.ca C shafer.ca yes 1 0
A 52.14.203.38 yes
Domainname Http-Status redirect Sec. G
http://shafer.ca/
52.14.203.38 301 https://shafer.ca/ 0.230 A
http://www.shafer.ca/
52.14.203.38 301 https://www.shafer.ca/ 0.227 A
https://shafer.ca/
52.14.203.38 200 2.457 B
https://www.shafer.ca/
52.14.203.38 200 2.226 N
Certificate error: RemoteCertificateNameMismatch

You have both domain names (www + non-www) as dns entries defined.

But your certificate has only the non-www domain name, so www doesn’t have the correct certificate.

Create a new certificate with two domain names:

certbot [your other parameters] -d shafer.ca -d www.shafer.ca

Then both domain names are good.


#4

Thanks. I added a certificate for the www.shafer.ca.

…George


#5

That didn’t work.

Rechecked your domain, now

Domainname Http-Status redirect Sec. G
http://shafer.ca/
52.14.203.38 301 https://shafer.ca/ 0.243 A
http://www.shafer.ca/
52.14.203.38 301 https://www.shafer.ca/ 0.850 A
https://shafer.ca/
52.14.203.38 200 2.533 N
Certificate error: RemoteCertificateNameMismatch
https://www.shafer.ca/
52.14.203.38 200 2.253 B

your non-www has the wrong certificate.

Your certificate has again only one domain name:

CN=www.shafer.ca
	20.01.2019
	20.04.2019
	www.shafer.ca - 1 entry

you need one certificate with two domain names.


#6

I guess I am doing it wrong. I created a separate certificate for shafer.ca and www.shafer.ca.

I attempted to create a certificate that includes both.

Here is the output from that certificate creation:


#7

Now it’s good:

CN=shafer.ca
	20.01.2019
	20.04.2019
	shafer.ca, www.shafer.ca - 2 entries

One certificate with both domain names, both connections are secure.


#8

Thanks so much for your help. You are giving better support that the paid certificate providers. I will definately,be making a donation to the cause.

…George


#9

Sorry, one more quick question. I have 5 different domains on my server using virtual hosts. I have created certificates for each domain (each certificate includes the domain and the www.domain).

Is this the best way to do this, or should you include all domains on one certificate?

…Georg


#10

It’s your choice, there is no global rule.

Personally, I prefer the same. Most of my customers use my own wildcard certificate *.server-daten.de. Some customers have their own domain, now with a Letsencrypt certificate. But I don’t add this name to my own certificate, instead I create a new certificate with both names (www + non-www).

So it’s easier to renew certificates, because the domains are separated.

But big organisations like Cloudflare often have 70 - 100 domain names from different domains in one certificate.


#11

Thanks for the response. It seems to be working well, so I will leave it as it is.