TLS-SNI-01 validation is reaching end-of-life

UbikMZ · 2019-02-02 17:47:46 UTC

Hi LetsEncrypt.
You have announced that “TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019.”
Question 1:
What does it mean “stop working temporarily” ?
Question 2:
Don’t you worry to put in trouble many of your users who could not manage to update the ACME client ?
In some configurations this process is not as easy as you pretend it to be.
Personnaly I tried it with the support of your team and failed. I had to reverse back to TLS-SNI-01 which is not that straightforward neither.

At least you should, please, let us some more time.

tdelmas · 2019-02-02 19:19:39 UTC

See February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support :

We will disable TLS-SNI validation in production on February 13, then re-enable it a week later.

They need to use another challenge method, not necessarily update the ACME client.

According to February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support :

Also, we’re changing the final end-of-life date for TLS-SNI in production to March 13, 2019. This will give more people time to update
So you need to find another way (such as using the HTTP-01 challenge) or after that date you will not be able to renew your certificated anymore.

As explained, they pushed the deadline to to March 13, 2019 (Was February 13, 2019).

It was announced February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support since October, 2018 and a reminder was sent by email more than two weeks ago. And one year ago they strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.

UbikMZ · 2019-02-02 19:50:16 UTC

I can’t believe it !
Why are you doing that ?
Just to see how many troubles you can cause ?

I have not received this announcement. The first mail informing about this is date of 18 January 2019.

tdelmas · 2019-02-02 20:00:23 UTC

just to clarify, “Let’s Encrypt”, not “me”.

They do it - I think - to alert people still using TLS-SNI-01. It should not break something, as renewals are typicality done one month before expiration, and retried if they failed.

They could have handle it better, I agree…

UbikMZ · 2019-02-02 20:14:11 UTC

Tom,
Do not take it personnaly, please. When I say “you” I mean “Let’s Encrypt”.

You (again not Tom) do not break something used in production to alert people that it is time to migrate to something new which, in my case, failed despite the fact that I followed the recommended procedure with an active support from one of yours enginneers.

My certificate (kreator.ch) is valid till May, 2nd 2019.
Will it be running during the gaming week from February 13 to February 20 ?

Regards.

tdelmas · 2019-02-02 20:24:57 UTC

Yes, you current certificate will not be impacted. (they will not “disabled” certificate already created using that method)

It will only impact renewals: if you try to renew that certificate, using the TLS-SNI-01 challenge during that week, it will fail.

If you are using certbot, you can follow these instructions to ensure that your renewal will work: How to stop using TLS-SNI-01 with Certbot

UbikMZ · 2019-02-02 20:36:34 UTC

That is exactly the procedure (for Debain Jessie) that I followed and arrived to the point where the Apache server would not start any more.
We spent a night together with Rudy Gomes (God bless him) to revert to the old method.

I just hope that, as you are saying, my

Could you transmit my request to them (Let’s Encrypt) to consider a softer mean to alert people of the need of migration that interrupting the service ?

Thanks and kind regards

Osiris · 2019-02-02 20:55:22 UTC

You do realise most of the people here are just volunteers? With different sets of skills, difference in knowledge. Although everyone here tries their best, perhaps the “active support” you’ve gotten just wasn’t up for the problem you have.

UbikMZ · 2019-02-02 21:20:14 UTC

Hi Osiris,
I am really grateful to all people of your team who dedicated their rime trying to assist me. I do not know if they are volunteers or not and I am not in the position to say if it was the right person for my problem.
I installed easily your “old” certificate which worked fine for my needs with TLS-SNI. My server configuration has not change, in any case not untill I tried to migrate. I am not a SSL specialist so I just followed the indicated procedure and it failed.
The situation is that the migration could not be achieved and I am put under the pressure by the threat of Febraury 13 dead-line.
I am disposed (with pleasure) to pay for a commercial support from you, provided that this migration can be succesfully achieved.
Kind regards.

jsha · 2019-02-02 22:28:48 UTC

Hi @UbikMZ! I want to emphasize what Osiris has said - there are a lot of people here working hard on their spare time to give you help for free. For my part, I do apologize for the late notice you receive about TLS-SNI deprecation. And as tdelmas said, you’ve actually got a lot longer than you think - you’ve got 90 days from the issuance of your last certificate, whenever that was.

It sounds like you have particularly in-depth needs for support, so you might benefit from paying a commercial CA for a certificate and using their paid support.

rg305 · 2019-02-02 22:47:15 UTC

Just to be clear: The TLS problem has been on-going for over one year.
See: February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

UbikMZ · 2019-02-02 22:47:42 UTC

Hi @jsha
Thanks for your message.
I have already expressed my thanks to your team for their time and efforts.
I don’t think the configuration of my server is that complicated and my knowledge of it so low to require in depth help just to upgrade.
However I’ll be glad to pay for it just to stop the nightmare I have been living for a couple of days and nights.
Would you be so kind to provide the way to join this support ?
Kind regards.

jsha · 2019-02-02 22:51:18 UTC

Sure, if you Google “ssl certificate,” you’ll find a number of paid options. You should click around to find one that offers a support package you like for a reasonable price.

Thanks,
Jacob

UbikMZ · 2019-02-02 22:59:21 UTC

Hi Jacob
I was wondering if I could stay with you paying for the support.
Concerning other CA providers I already started research to find an alternative.
Kind regards

Osiris · 2019-02-02 23:04:18 UTC

You could always donate, but that wouldn’t make any difference in the amount of support you’d get. This volunteer based community service is all there really is.

UbikMZ · 2019-02-02 23:06:19 UTC

Hi Rudy
Welcome back:grinning:
Even though this problem is going for a year I got informed about it just a couple of days ago.
Thanks again for your help the other night. It helped me to avoid a disaster.
Cheers

rg305 · 2019-02-02 23:08:47 UTC

Your very welcome.
Although I haven’t been able to resolve why the http challenges don’t work…
We did manage to get you 90 days to resolve this problem.
I’m sure someone here can figure this out long before that time comes.
You need not worry (so much) about this.

Cheers!

UbikMZ · 2019-02-02 23:23:31 UTC

Sure.
You did the best possible job it was possible to do in the mess in which I have landed.
In the night of 12 - 13 I’ll be flying to Patagonia.
If my system doesn’t work as from February 13, I’m jobless when I’m back.
Not easy to be relax in that configuration.
Understandable isn’t it ?

rg305 · 2019-02-02 23:40:30 UTC

I think you have misunderstood what is expected to happen on/after Feb 13.

Nothing is expected to happen that will stop your cert from working until its’ expiration date:

which is May 2.
So we have until then to figure out how to get the automation process working with HTTP-01.

JuergenAuer · 2019-02-03 09:59:20 UTC

A post was split to a new topic: What to do if tls-sni is deprecated?