TLS-SNI validation reaching end of life


#1

Got email with following message:

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire

Is there some standard documentation you guys provide for this issue ?

My domain is:
fuseonconnection.com
I ran this command:

It produced this output:

My web server is (include version):
Go http web server in std lib
The operating system my web server runs on is (include version):
Centos 7.6
My hosting provider, if applicable, is:
Rackspace
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

I don’t know of any (a wiki would be nice).
But checking your domain, I can see that port 80 doesn’t reach your server.
If your ISP blocks port 80 then HTTP-01 is not an option for you.
Otherwise, you will need to ensure the Internet can reach your server over TCP port 80.

OR use DNS-01 validation method.
Not as “simple” but if your DNS service provider is supported, you can use a DNS plugin to automate the renewals.


#3

What ACME client are you using? What version of it?


#4

Matt,

I’m using certbot version .29

Figured out fix.

  • Old renewal process used port 443 which was open.
  • New renewal process needed to use port 80 which was not open.
  • Opened port 80 and renewal worked.
    Thanks,

Jay


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.