TLS-SNI challenges disabled for most new issuance


#1

[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues]

As we announced yesterday, the TLS-SNI challenge is permanently disabled due to a security issue. Our recommendation to client authors and hosting providers is to implement the HTTP-01 or DNS-01 challenges if you haven’t already.

To give people more time to migrate, we have two temporary whitelisting mechanisms:

  • TLS-SNI can be used for revalidating and reissuing certificates for domain names that have previously-issued Let’s Encrypt certificates. This is limited to the account that issued the most recent certificate for any given domain name. It applies whether or not the certificate used TLS-SNI for validation. It applies only to fully-qualified domain names, not subdomains. The grouping of domains into certificates doesn’t matter for this mechanism.
  • We are whitelisting by account ID some large hosting providers that have integrations built on TLS-SNI that don’t yet support HTTP-01.

As of 2018-01-13 00:40 UTC, both whitelisting mechanisms are live. If you have a certificate renewal that has been failing due to the TLS-SNI disablement, you should now be able to renew.

The Certbot team will have a release out soon adding HTTP-01 support to the Apache and Nginx plugins. This will allow Certbot to use those plugins to issue certificates for new domains.


IMPORTANT: What you need to know about TLS-SNI validation issues
Renewal behind haproxy for TLS-SNI-01
Non Interactive Issue : Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Failed authorization procedure ; Received 2 certificate(s)?
Too many currently pending authorizations:
TLS handshake error map acme: Could not determine solvers] Could not find solver for: dns-01 Could not find solver for: http-01
Tls-sni-01 challenge still in use by apache authenticator
Unable to pick challenge type
Failed authorization procedure. Timeout during connect (likely firewall problem)
Port 4434 instead of 443
How to use the new certbot apache v 0.21
Certbot not working with CentOS 6
Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Failure to obtain certificate - Ubuntu 16.04 - Nextcloud 13 - Nginx
Can not get domain token
Location of letsencrypt.org issuance policy documentation
#2

#3

#4

#5