"Your Let’s Encrypt client used ACME TLS-SNI-01..." Which one?


#1

Hi, I just received an email from LE that looks like this:

Hello,

Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

Thank you,
Let’s Encrypt Staff

The problem is that I manage quite a few servers and it would be very helpful if the email also provided the domain name that was tried, so that I can know which client needs to be upgraded.

Thanks.


Life after TLS-SNI-01 domain validation
#2

@jsha, are there any more of these going out in the future so that it might be possible to add additional information to subsequent iterations?


#3

Yes, I just got one of these too and would love to be able to at least know which certificate/hostname(s) are affected. As someone at an organization that manages several hosts/certificates and has known about this for a while and (thought they) finished dealing with it, this would be greatly appreciated.


#4

This. We have around 50 Let’s Encrypt certificates in play and now have no idea which of them is going to stop renewing.


#5

I’m the same boat: what is the domain the e-mail refers to? How to find out?

Thanks,

P.


#6

Hi @drcongo

check your config / renew files

/etc/letsencrypt/renewal

if there is “standalone” (unclear) or “tls-sni” (critical).


#7

This is especially a nightmare for software with built-in autocert. Whether the domain has been using TLS-SNI or TLS-ALPN depends entirely on arbitrary circumstances that are completely opaque to end-users. When you have dozens (or more) of servers, an audit is a practical impossibility.

A follow-up email or query interface would be greatly appreciated.


#8

I really need that followup email because i got to many servers to check.


#9

Hi @palmeros

use the normal text search with your config files:

standalone (perhaps critical)
tls-sni (critical).

So you see, if this is a problem.


#10

I am a little confused by this, too. I just went through all of my servers, and did a sudo certbot renew --dry-run, and all of them said they were doing http-01 challenges.


#11

Yep, we’re going to send a second round of emails that will include domain names. Very sorry for the trouble.


#12

Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01. So it’s possible that your Certbot instance renewed within the last 60 days using tls-sni, but you have since upgraded to 0.28.0 or above, which will default to http-01. So in your situation, I think no action is needed. If any certificate does get close to its expiration (20 days) you’ll get an email about it.


#13

Yup, that was the case. I found one server that was built in May, and renewed in Nov w/ tls-sni, and is now on certbot 0.28.0 doing http-01. Going to create a new issue about a quirk I am seeing.


#14

Are redirects from HTTP to HTTPS during certificate renewels considered to be HTTP-01 or TLS-SNI-01 currently? Are those redirects still supported after support for TLS-SNI-01 has been removed entirely?

There were questions around those redirects in the past and they mentioned those as supported:

I don’t think all of this is necessary. The HTTP-01 validator is willing to follow redirects, including redirects to HTTPS. I think a number of people have continued to use webroot successfully on servers that perform a blanket redirect from the HTTP site to the HTTPS site.



#15

It’s still HTTP-01.

(HTTP-01 and TLS-SNI-01 are actually completely different technically: HTTP-01 does an HTTP (or HTTPS) request for a special file, while TLS-SNI-01 does a TLS handshake for a special hostname and special certificate.)

Yes.


#16

Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01.

The docs about Getting certificates (and choosing plugins) still mention TLS-SNI-01 as the preferred method in the table for apache and nginx. Shouldn’t that be changed already because Certbot 0.28 has already been released or is that table updated after February 13th?


#17

Thanks! We’ll get that fixed.