Deprecation of the TLS-SNI challenge



  • Received this error when trying to renew my LE cert via Certbot

    Incorrect validation certificate for tls-sni-01 challenge.
    

    From Certbot's website:

    "Under the hood, plugins use one of several ACME protocol challenges to prove you control a domain. The options are http-01 (which uses port 80), tls-sni-01 (port 443) and dns-01 (requiring configuration of a DNS server on port 53, though that’s often not the same machine as your webserver). A few plugins support more than one challenge type, in which case you can choose one with --preferred-challenges."

    sudo certbot renew --preferred-challenges http worked. My question is, is just an http challenge the correct way to do this?



  • @wirestyle22 said in Deprecation of the TLS-SNI challenge:

    Received this error when trying to renew my LE cert via Certbot

    Incorrect validation certificate for tls-sni-01 challenge.
    

    From Certbot's website:

    "Under the hood, plugins use one of several ACME protocol challenges to prove you control a domain. The options are http-01 (which uses port 80), tls-sni-01 (port 443) and dns-01 (requiring configuration of a DNS server on port 53, though that’s often not the same machine as your webserver). A few plugins support more than one challenge type, in which case you can choose one with --preferred-challenges."

    sudo certbot renew --preferred-challenges http worked. My question is, is just an http challenge the correct way to do this?

    I just started doing my challenges through DNS but some might think it is not the best. For me it works with CloudFlare.



  • OH man - I need to look into this for my FreePBX system. I can't get the damned thing to auto authenticate because the firewall keeps blocking the LE servers. DNS verification would solve this!



  • @Dashrender said in Deprecation of the TLS-SNI challenge:

    OH man - I need to look into this for my FreePBX system. I can't get the damned thing to auto authenticate because the firewall keeps blocking the LE servers. DNS verification would solve this!

    Is the automatic FreePBX option not working for some reason?



  • @travisdh1 said in Deprecation of the TLS-SNI challenge:

    @Dashrender said in Deprecation of the TLS-SNI challenge:

    OH man - I need to look into this for my FreePBX system. I can't get the damned thing to auto authenticate because the firewall keeps blocking the LE servers. DNS verification would solve this!

    Is the automatic FreePBX option not working for some reason?

    Nope - never has. the firewall always prevents it from running. LE has added tons of servers that aren't on my white list, and they are blocked instantly.



  • In Certbot 0.28.0 (the November 2018 release), Certbot will begin to prefer the HTTP-01 challenge type to the TLS-SNI-01 challenge type when both are available.

    Users who first obtained a certificate for their domain before January 2018 and have not changed the account they use to issue certificates for those domains may encounter issues when Certbot attempts to automatically renew their certificates.

    Certificates obtained for other domains since then have already been using the HTTP-01 validation method for initial issuance, and are unlikely to encounter new issues from this change.

    The Certbot team recommends that users test manually from the command line in advance of certificate expiry. To use the HTTP-01 challenge type regardless of Certbot version, add the flag --preferred-challenges http-01,dns-01 at the command line.

    For example:

    certbot renew --dry-run --preferred-challenges http-01,dns-01

    Users encountering errors may need to fix their firewall settings to allow incoming connections on port 80. Some resources about configuring a firewall are available here 2 for Debian and Ubuntu users, here for CentOS 7 users, and here for other Linux users.

    Between November and February (when the TLS-SNI-01 challenge type is deprecated at the server end 4), users who have been relying on TLS-SNI-01 can use the flag --preferred-challenges tls-sni-01 as a temporary patch to get a certificate quickly, before correcting the configuration.



  • @wirestyle22 so much to work on....


Log in to reply