D
D
Developer2019-02-01 10:08:57
Digital certificates
Developer, 2019-02-01 10:08:57

What is this letter from Let's Encrypt about?

Hi all.
I have several domains, they have SSL certificates from Let's Encrypt and they have been updated themselves through certbot every three months for several years now.
But since the beginning of this year, letters from Let's Encrypt began to come to all my domains with the following content:

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals
from breaking.

If you already received a similar e-mail, this one contains updated
information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):

 www.yoursite.domain (333.333.555.777) on 2018-11-29

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.

You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
Let's Encrypt Staff

Why are they sending these letters?
Do I need to worry and start studying what's inside these "TLS-SNI-01, HTTP-01, DNS-01 or TLS-ALPN-01" and other things?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
K
ky0, 2019-02-01
@samodum

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.

It is not necessary to study anything, you need to update the client and make sure that it correctly confirms ownership of the domain using any of the relevant methods. In the case of HTTP-01, it is sufficient that the web server handles LE service requests equally on ports 80 and 443:
tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. If that's not possible, for instance because your ISP blocks port 80, you'll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question