TLS-SNI challenges disabled for most new issuance

[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues]

As we announced yesterday, the TLS-SNI challenge is permanently disabled due to a security issue. Our recommendation to client authors and hosting providers is to implement the HTTP-01 or DNS-01 challenges if you haven’t already.

To give people more time to migrate, we have two temporary whitelisting mechanisms:

  • TLS-SNI can be used for revalidating and reissuing certificates for domain names that have previously-issued Let’s Encrypt certificates. This is limited to the account that issued the most recent certificate for any given domain name. It applies whether or not the certificate used TLS-SNI for validation. It applies only to fully-qualified domain names, not subdomains. The grouping of domains into certificates doesn’t matter for this mechanism.
  • We are whitelisting by account ID some large hosting providers that have integrations built on TLS-SNI that don’t yet support HTTP-01.

As of 2018-01-13 00:40 UTC, both whitelisting mechanisms are live. If you have a certificate renewal that has been failing due to the TLS-SNI disablement, you should now be able to renew.

The Certbot team will have a release out soon adding HTTP-01 support to the Apache and Nginx plugins. This will allow Certbot to use those plugins to issue certificates for new domains.

4 Likes