letsencrypt validation end-of-life. is it a problem?

Discussion in 'General' started by nhybgtvfr, Jan 28, 2019.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    a colleague got an email from letsencypt about a site they've setup standalone. which contains the following:

    TLS-SNI-01 validation is reaching end-of-life. It will stop working
    temporarily on February 13th, 2019, and permanently on March 13th, 2019.
    Any certificates issued before then will continue to work for 90 days
    after their issuance date.
    You need to update your ACME client to use an alternative validation
    method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
    certificate renewals will break and existing certificates will start to

    more info here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
    which also states:
    If the version is less than 0.28, you need to upgrade your Certbot. Visit https://certbot.eff.org/ 3.9k and follow the instructions for your webserver and OS, it also mentions removing references to tls-sni-01 in files in /etc/letsencrypt/renewal.

    having checked, there are no such references, but the certbot version from the ubuntu 18.04 repo is 0.23.
    is this anything we need to be worried about? or does ispconfig configure letsencrypt in a way that already avoids this issue?
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't expect any problems as TLS-SNI-01 is not used. If the old certbot version really is an issue or not is not easily foreseeable for me, but if they write that a newer version is required then this is probably the case. But it's not an ispconfig specific issue. Probably Ubuntu will update certbot until then as Debian did a few days ago.
    ahrasis and elmacus like this.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    if tls-sni-01 isn't used then I don't think it'll be a problem. and certs will still work until their expiry date.
    reckon i'lll leave it till the 13th or 14th and try to add a LE cert to another site, see if it works or not, if not i'll obviously have to install the newer version using their instructions.
    if the official ubuntu repo updates the certbot version before then i'll update it that way. i'd prefer to keep as much of the live servers using the official repo's as possible.

    till likes this.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I understand why people want to use their distro official repo i.e. for security and stability but I don't find using that repo alone is that secured and safe anymore especially when the version of the relied softwares are too old and outdated like certbot, php, mariadb etc.

    Traditional or conventional ways may not be the best these days and it seems that the coming ISPConfig 3.2 already added neilpang acme.sh and will automatically install and use it as ISPConfig default client for letsencrypt if you don't have certbot.

    I would prefer the official letsencrypt client "certbot" latest version to be installed and used for my ISPConfig servers though but that would also be traditional and conventional too?

    Anyway, sorry to put all my thoughts in here but hopefully they also answer the same question for others. ;)

Share This Page