Let's Encrypt and TLS-SNI-01 end-of-life
5 february, 2019
A few weeks ago I’ve got an email from Let's Encrypt with detailed info about ACME client issue:
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
By a quick look I have understood that this issue could not be resolved easily and decided take pause and to go back a few time later.
So yesterday I’ve investigated this issue, fixed it on my VPS and now posting the solution.
What is ACME Client
This definition has taken from Wikipedia: The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers. So, ACME client is the utility on your server, that’s comminicating with Let's Encrypt certificate authority service, i.e. certbot.
On my VPS (Debian 9.4) certbot 0.10.2-1 was installed. But this version used ACME TLS-SNI-01 domain validation and now marked as potentially vulnerable.
It’s time to action
Action plan is simple: update certbot. The problem is that the stable certbot for Debian 9.4 is vulnerable certbot 0.10.2-1. You should activate backport repos to update to secure certbot 0.28.0.
Follow these instructions to activate backport repos. Shortly:
sudo apt-get update
And update your certbot:
Check your updated certbot version:
Update certbot for Debian 9 with nginx
Let's Encrypt community thread about TLS-SNI-01 end-of-life