What to do if tls-sni is deprecated?


#1

Good morning all,

First of all thank you all for the great job that you are doing in the area of SSL awareness.

So I also received the email Action is required to prevent your Let’s Encrypt certificate renewals from breaking. alerting about TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

After reading this thread it looks like the renewal fixing process is not yet stable (at the time of this writing) and that (may be i am not getting it well) this alert do not impact certificated which will not be renew during the February month

So my question is this : Do I have to take any actions in the short term about my certificate (www.lohce.com expiring on the 24 April 2019), i will like to avoid shutting down my Apache service while following the How to stop using TLS-SNI-01 with Certbot

Any answer will help me better understand what to do

Kindly, best regards

image


TLS-SNI-01 validation is reaching end-of-life
#2

Hi @lohceofficial

I’ve splittet your post, so you have an own topic, makes things easier.

There are a lot of different configurations, so there is no general renewal fixing process.

Check your certbot version (certbot --version), should be minimal 0.28.

You can use --dry-run to create a test certificate.

Your domain looks ok ( https://check-your-website.server-daten.de/?q=lohce.com ). non-www isn’t defined, port 80 is open and redirects to https, Letsencrypt follows these redirects.

Checking such a test file in /.well-known/acme-challenge there is the (good) http status 404 - not found.