Hi, I just received an email from LE that looks like this:
Action is required to prevent your Let's Encrypt certificate renewals from breaking.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:
Yes, I just got one of these too and would love to be able to at least know which certificate/hostname(s) are affected. As someone at an organization that manages several hosts/certificates and has known about this for a while and (thought they) finished dealing with it, this would be greatly appreciated.
This is especially a nightmare for software with built-in autocert. Whether the domain has been using TLS-SNI or TLS-ALPN depends entirely on arbitrary circumstances that are completely opaque to end-users. When you have dozens (or more) of servers, an audit is a practical impossibility.
A follow-up email or query interface would be greatly appreciated.
Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01. So it's possible that your Certbot instance renewed within the last 60 days using tls-sni, but you have since upgraded to 0.28.0 or above, which will default to http-01. So in your situation, I think no action is needed. If any certificate does get close to its expiration (20 days) you'll get an email about it.
Are redirects from HTTP to HTTPS during certificate renewels considered to be HTTP-01 or TLS-SNI-01 currently? Are those redirects still supported after support for TLS-SNI-01 has been removed entirely?
There were questions around those redirects in the past and they mentioned those as supported:
I don’t think all of this is necessary. The HTTP-01 validator is willing to follow redirects, including redirects to HTTPS. I think a number of people have continued to use webroot successfully on servers that perform a blanket redirect from the HTTP site to the HTTPS site.
(HTTP-01 and TLS-SNI-01 are actually completely different technically: HTTP-01 does an HTTP (or HTTPS) request for a special file, while TLS-SNI-01 does a TLS handshake for a special hostname and special certificate.)