Hi, I just received an email from LE that looks like this:
Hello,
Action is required to prevent your Let's Encrypt certificate renewals from breaking.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:
The problem is that I manage quite a few servers and it would be very helpful if the email also provided the domain name that was tried, so that I can know which client needs to be upgraded.
Yes, I just got one of these too and would love to be able to at least know which certificate/hostname(s) are affected. As someone at an organization that manages several hosts/certificates and has known about this for a while and (thought they) finished dealing with it, this would be greatly appreciated.
This is especially a nightmare for software with built-in autocert. Whether the domain has been using TLS-SNI or TLS-ALPN depends entirely on arbitrary circumstances that are completely opaque to end-users. When you have dozens (or more) of servers, an audit is a practical impossibility.
A follow-up email or query interface would be greatly appreciated.
I am a little confused by this, too. I just went through all of my servers, and did a sudo certbot renew --dry-run, and all of them said they were doing http-01 challenges.
Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01. So it's possible that your Certbot instance renewed within the last 60 days using tls-sni, but you have since upgraded to 0.28.0 or above, which will default to http-01. So in your situation, I think no action is needed. If any certificate does get close to its expiration (20 days) you'll get an email about it.
Yup, that was the case. I found one server that was built in May, and renewed in Nov w/ tls-sni, and is now on certbot 0.28.0 doing http-01. Going to create a new issue about a quirk I am seeing.
Are redirects from HTTP to HTTPS during certificate renewels considered to be HTTP-01 or TLS-SNI-01 currently? Are those redirects still supported after support for TLS-SNI-01 has been removed entirely?
There were questions around those redirects in the past and they mentioned those as supported:
I don’t think all of this is necessary. The HTTP-01 validator is willing to follow redirects, including redirects to HTTPS. I think a number of people have continued to use webroot successfully on servers that perform a blanket redirect from the HTTP site to the HTTPS site.
(HTTP-01 and TLS-SNI-01 are actually completely different technically: HTTP-01 does an HTTP (or HTTPS) request for a special file, while TLS-SNI-01 does a TLS handshake for a special hostname and special certificate.)
The docs about Getting certificates (and choosing plugins) still mention TLS-SNI-01 as the preferred method in the table for apache and nginx. Shouldn't that be changed already because Certbot 0.28 has already been released or is that table updated after February 13th?