Konstantin Narkhov
Pheix 0.8.96
@condemnedcell
konstantinnarkhov.pro

Let's Encrypt and TLS-SNI-01 end-of-life

5 february, 2019


A few weeks ago I’ve got an email from Let's Encrypt with detailed info about ACME client issue:

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

By a quick look I have understood that this issue could not be resolved easily and decided take pause and to go back a few time later.

So yesterday I’ve investigated this issue, fixed it on my VPS and now posting the solution.


What is ACME Client

This definition has taken from Wikipedia: The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers. So, ACME client is the utility on your server, that’s comminicating with Let's Encrypt certificate authority service, i.e. certbot.

On my VPS (Debian 9.4) certbot 0.10.2-1 was installed. But this version used ACME TLS-SNI-01 domain validation and now marked as potentially vulnerable.


It’s time to action

Action plan is simple: update certbot. The problem is that the stable certbot for Debian 9.4 is vulnerable certbot 0.10.2-1. You should activate backport repos to update to secure certbot 0.28.0.

Follow these instructions to activate backport repos. Shortly:

sudo echo "deb http://ftp.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list
sudo apt-get update

And update your certbot:

sudo apt-get install certbot python-certbot-nginx -t stretch-backports

Check your updated certbot version:

certbot --version

Credits

Update certbot for Debian 9 with nginx

Let's Encrypt community thread about TLS-SNI-01 end-of-life

Let's Encrypt support page

Blog entries

Check out latest blog entries: most interesting stories about past events & activities.

Quick feedback

Letters and spaces only