How to resolve TLS SNI deprecation
2019 Jan, I received this email from Let's Encrypt team.
Hello, Action may be required to prevent your Let's Encrypt certificate renewals from breaking. If you already received a similar e-mail, this one contains updated information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. Below is a list of names and IP addresses validated (max of one per account):
www.quebec3.com (107...**) on 2019-01-04
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like to test whether your system will work after February 13, you can run against staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your question has been answered, then open a new thread if it has not: https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our API announcement: https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you, ``Let's Encrypt Staff
I honestly a bit freaked out because I knew I have little knowledge about certificate and server staff. I introduced https to a few of my websites all by myself, but I just followed instructions that I've found online.
Anyway, I have to solve this problem myself and here's what I did.
I checked out the FAQ thread (How to resolve TLS-SNI deprecation) then I was navigated to this site for more information that suits my case certbot.
So following the instructions from the second website, here's what I did.
- Logged in to my server via ssh
- Ran command
sudo certbot renew --dry-run(As I've already installed certbot)
And this message is returned:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/quebec3.com.conf
Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for quebec3.com http-01 challenge for www.quebec3.com Waiting for verification... Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/quebec3.com/fullchain.pem
Processing /etc/letsencrypt/renewal/mybrailler.com.conf
Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for mybrailler.com http-01 challenge for www.mybrailler.com Waiting for verification... Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/mybrailler.com/fullchain.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/quebec3.com/fullchain.pem (success) /etc/letsencrypt/live/mybrailler.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.)
I'm not 100% sure but reading the message above, it seems server tries to use http-01 and that the validation method is recommended to use according to the email so it should be fine! (fingers crossed)