tls-sni deprecation

[samm-git]

According to https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811 it seems that TLS-SNI-01 is deprecated now. In Acmetool it is default validation method (with HTTP-01 having lower preference).

Should it be deprecated/blocked in acmetool as well? What is a status of the DNS-01 validation? Any plans to implement TLS-ALPN-01?

Short summary:

• Lets Encrypt now supports: HTTP-01, DNS-01 and TLS-ALPN-01 validation methods
• acmetool supports only HTTP-01 and TLS-SNI-01 (which is now deprecated due to security issues)

[samm-git]

Additional information: https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

[inos-github]

I haven’t found any option to set the validation method in acmetool - how can I switch from TLS-SNI-01 to HTTP-01?
Thanks for any hint!

[samm-git]

@inos-github from what i see - if you using challenge-based auth it would be http-01. If you using it in a "proxy" mode - that would probably be SNI-01

[haraldkoch]

FYI I use DNS challenges with ISC BIND for several hosts that are behind a firewall (but have external DNS) - works fine for me.

[samm-git]

@haraldkoch are you using acmev2 branch?

[haraldkoch]

I am not; still on master.

[samm-git]

@haraldkoch but master do not have DNS validation support

[haraldkoch]

@samm-git https://hlandau.github.io/acme/userguide#challenge-hooks and https://github.com/hlandau/acme/blob/master/_doc/dns.hook

[inos-github]

@samm-git thanks for the advice. I'm using the challenge option via http without a proxy so it should be http-01 however I've received a mail from let's encrypt saying I'm still on SNI-01...

[samm-git]

@inos-github i got similar alert but i think that it is not correct and could be a problem on LE side