"Your Let’s Encrypt client used ACME TLS-SNI-01..." Which one?

Hi, I just received an email from LE that looks like this:

Hello,

Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

Thank you,
Let’s Encrypt Staff

The problem is that I manage quite a few servers and it would be very helpful if the email also provided the domain name that was tried, so that I can know which client needs to be upgraded.

Thanks.

7 Likes

@jsha, are there any more of these going out in the future so that it might be possible to add additional information to subsequent iterations?

1 Like

Yes, I just got one of these too and would love to be able to at least know which certificate/hostname(s) are affected. As someone at an organization that manages several hosts/certificates and has known about this for a while and (thought they) finished dealing with it, this would be greatly appreciated.

This. We have around 50 Let’s Encrypt certificates in play and now have no idea which of them is going to stop renewing.

I’m the same boat: what is the domain the e-mail refers to? How to find out?

Thanks,

P.

Hi @drcongo

check your config / renew files

/etc/letsencrypt/renewal

if there is “standalone” (unclear) or “tls-sni” (critical).

This is especially a nightmare for software with built-in autocert. Whether the domain has been using TLS-SNI or TLS-ALPN depends entirely on arbitrary circumstances that are completely opaque to end-users. When you have dozens (or more) of servers, an audit is a practical impossibility.

A follow-up email or query interface would be greatly appreciated.

1 Like

I really need that followup email because i got to many servers to check.

Hi @palmeros

use the normal text search with your config files:

standalone (perhaps critical)
tls-sni (critical).

So you see, if this is a problem.

1 Like

I am a little confused by this, too. I just went through all of my servers, and did a sudo certbot renew --dry-run, and all of them said they were doing http-01 challenges.

Yep, we’re going to send a second round of emails that will include domain names. Very sorry for the trouble.

4 Likes

Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01. So it’s possible that your Certbot instance renewed within the last 60 days using tls-sni, but you have since upgraded to 0.28.0 or above, which will default to http-01. So in your situation, I think no action is needed. If any certificate does get close to its expiration (20 days) you’ll get an email about it.

1 Like

Yup, that was the case. I found one server that was built in May, and renewed in Nov w/ tls-sni, and is now on certbot 0.28.0 doing http-01. Going to create a new issue about a quirk I am seeing.

1 Like

Are redirects from HTTP to HTTPS during certificate renewels considered to be HTTP-01 or TLS-SNI-01 currently? Are those redirects still supported after support for TLS-SNI-01 has been removed entirely?

There were questions around those redirects in the past and they mentioned those as supported:

I don’t think all of this is necessary. The HTTP-01 validator is willing to follow redirects, including redirects to HTTPS. I think a number of people have continued to use webroot successfully on servers that perform a blanket redirect from the HTTP site to the HTTPS site.


It’s still HTTP-01.

(HTTP-01 and TLS-SNI-01 are actually completely different technically: HTTP-01 does an HTTP (or HTTPS) request for a special file, while TLS-SNI-01 does a TLS handshake for a special hostname and special certificate.)

Yes.

2 Likes

Certbot until 0.28.0 would prefer tls-sni if available, but supported http-01.

The docs about Getting certificates (and choosing plugins) still mention TLS-SNI-01 as the preferred method in the table for apache and nginx. Shouldn’t that be changed already because Certbot 0.28 has already been released or is that table updated after February 13th?

4 Likes

Thanks! We’ll get that fixed.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.