spamassassin-sysadmins mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Cole" <>
Subject Re: Action required: Let's Encrypt certificate renewals
Date Tue, 29 Jan 2019 16:20:05 GMT
On 29 Jan 2019, at 10:25, Kevin A. McGrail wrote:

> FYI, I think this is your territory, Dave
> Bill had some interesting experience with the issue so cc'ing him.

Only "interesting" because I didn't trust the simplicity of the fix.

All I had to do on a fairly recent Certbot/CentOS7 installation was to 
update the Certbot package and related Python packages (all in EPEL) and 
verify that nothing in the config referenced tls-sni-01 explicitly. 
Running 'certbot renew --dry-run' ran happily. This was all in the 
LE/Certbot docs referenced in the warning message.

What confused me was that the Apache server in question had a stack of 
vhosts, all of which had all port 80 requests redirected (via 
mod_rewrite) to their port 443 siblings, all of which required "Basic" 
authentication. The LE/Certbot information states that port 80 is 
required for http-01 verification, so I didn't see how it could work and 
did not see direct evidence of what certbot was doing. Upon closer 
investigation, I found that it temporarily wraps the vhost config with a 
mod_rewrite redirection of the challenge URL path, cleaning up after 
itself when done. A few directories got modified, but no remaining files 
were, so the only clear evidence of this was in the certbot debug log.

In short: I expected a failure that I'd need to work around but that 
didn't happen. It just worked.

> -------- Forwarded Message --------
> Subject: 	Action required: Let's Encrypt certificate renewals
> Date: 	Tue, 29 Jan 2019 02:14:39 +0000
> From:
> Reply-To:
> To:
> Hello,
> Action may be required to prevent your Let's Encrypt certificate 
> renewals
> from breaking.
> If you already received a similar e-mail, this one contains updated
> information.
> Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to 
> issue
> a certificate in the past 60 days. Below is a list of names and IP
> addresses validated (max of one per account):
> ( on 2018-11-23
> TLS-SNI-01 validation is reaching end-of-life. It will stop working
> temporarily on February 13th, 2019, and permanently on March 13th, 
> 2019.
> Any certificates issued before then will continue to work for 90 days
> after their issuance date.
> You need to update your ACME client to use an alternative validation
> method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
> certificate renewals will break and existing certificates will start 
> to
> expire.
> Our staging environment already has TLS-SNI-01 disabled, so if you'd 
> like
> to test whether your system will work after February 13, you can run
> against staging:
> If you're a Certbot user, you can find more information here:
> Our forum has many threads on this topic. Please search to see if your
> question has been answered, then open a new thread if it has not:
> For more information about the TLS-SNI-01 end-of-life please see our 
> announcement:
> Thank you,
> Let's Encrypt Staff

Bill Cole

View raw message