TLS-SNI-01 website test


#1

hello -

is there any online test to detect TLS-SNI-01 similar to:

https://www.sslshopper.com/ssl-checker.html#hostname=sfinehomes.com
https://www.ssllabs.com/ssltest/

one of my URL’s (sfinehomes.com) just renewed and still i received a warning email “Action required: Let’s Encrypt certificate renewals”, even though my crontab job has the new switch --perferred-challengers http:

/usr/bin/certbot renew --preferred-challenges http ;

and i did follow the advice mentioned here
certbot 0.29.1

suggestions?


#2

No. There’s no public record of what validation method you used. The only people who know are Let’s Encrypt and, if your ACME client logs it, you.

(Certbot logs it.)

Did the email specifically refer to that domain? Do you have other certificates? Or did you have other certificates within the last two months?

Maybe it used TLS-SNI last time you renewed in November, and maybe that was just within the cutoff window for the email. (It was 65 days ago, but maybe the list was generated last week.)

In that case, you’ve already fixed the issue and you’re good to go.


#3

hi - the email came through January 27th at 4:34pm MST - several says AFTER i put in the new switch.

it looks like the email was sent shortly after the renewal (below)

https://www.ssllabs.com/ssltest/analyze.html?d=sfinehomes.com

Valid from Sun, 27 Jan 2019 04:04:42 UTC
Valid until Sat, 27 Apr 2019 04:04:42 UTC (expires in 2 months and 29 days)


Hello,

Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.

If you already received a similar e-mail, this one contains updated
information.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):

sfinehomes.com (162.216.114.36) on 2018-11-25

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.

You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.

Our staging environment already has TLS-SNI-01 disabled, so if you’d like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/

If you’re a Certbot user, you can find more information here:

Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API
announcement:

Thank you,
Let’s Encrypt Staff


#4

Right. It sounds like you’ve upgraded and stopped using TLS-SNI since November, but Let’s Encrypt can’t know that for certain, so they sent the email to make sure.


Apparent false TLS-SNI-01 notification emails
#5

OK - you do realize if the IRS took this same approach, blood-pressure pill usage would skyrocket.


#6

Sorry to stress you out! Based on this thread, it looks like you’re all set. It definitely would have been nice to correlate across multiple validations, and remove accounts that have done subsequent validations for the same domain name with a different validation method. Hopefully we won’t have to deprecate any other validation methods for a good long while, but we’ll keep this tweak in mind.


#7
  1. Is it really spelt that way: “perferred-challengers” ?
  2. Has an actual http challenge produce a new/renewed cert?

[Anyone can modify a crontab to force http challenges (even challengers) - but that doesn’t mean it will work for everyone nor anyone]