On 29 Jan 2019, at 10:25, Kevin A. McGrail wrote:
FYI, I think this is your territory, Dave
Bill had some interesting experience with the issue so cc'ing him.
Only "interesting" because I didn't trust the simplicity of the fix.
All I had to do on a fairly recent Certbot/CentOS7 installation was to
update the Certbot package and related Python packages (all in EPEL) and
verify that nothing in the config referenced tls-sni-01 explicitly.
Running 'certbot renew --dry-run' ran happily. This was all in the
LE/Certbot docs referenced in the warning message.
What confused me was that the Apache server in question had a stack of
vhosts, all of which had all port 80 requests redirected (via
mod_rewrite) to their port 443 siblings, all of which required "Basic"
authentication. The LE/Certbot information states that port 80 is
required for http-01 verification, so I didn't see how it could work and
did not see direct evidence of what certbot was doing. Upon closer
investigation, I found that it temporarily wraps the vhost config with a
mod_rewrite redirection of the challenge URL path, cleaning up after
itself when done. A few directories got modified, but no remaining files
were, so the only clear evidence of this was in the certbot debug log.
In short: I expected a failure that I'd need to work around but that
didn't happen. It just worked.
-------- Forwarded Message --------
Subject: Action required: Let's Encrypt certificate renewals
Date: Tue, 29 Jan 2019 02:14:39 +0000
From: [email protected]
Reply-To: [email protected]
To: [email protected]
Hello,
Action may be required to prevent your Let's Encrypt certificate
renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to
issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
ruleqa.spamassassin.org (62.210.60.231) on 2018-11-23
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th,
2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start
to
expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd
like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our
API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
--
Bill Cole
