Yesterday I received an email from Let’s Encrypt, the certificate provider I have been using and previously talked about in a previous post.
The mail says:
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. Below is a list of names and IP addresses validated (max of one per account):
ahyangyi.org (159.89.199.139) on 2019-01-16
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.
Seems a quite urgent issue, since it will actually break my setup if I do not take actions. Admittedly, this blog has been in a hiatus lately, but I do not want to see it dead.
Thankfully, there is a quick guide.
The quick guide suggests the following steps, which I will be following.
Check version and upgrade
certbot --version
And if below 0.28, one needs to update certbot. Well, my version was 0.23 so I had to update it.
Remove any explicit references to tls-sni-01
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
This is the kind of command the tutorials love to hand out, but I refuse to follow blindly. It does many things in one go, including modifying the configuration file while creating a backup, and subsequently deleting the backup file. For some reason the steps are connected by semicolons, meaning that if the first step goes wrong, the second step will still be executed, nullifying any benefit of backing up.
So it is better to see what they are doing. Well, basically they try to find lines starting with pref_challs
and have tls-sni-01
in them, and replace the algorithm with http-01
.
A quick scan through my configuration shows that I do not have tls-sni-01
anyways, so this horrible command can be safely omitted.
Do a full renewal dry run
sudo certbot renew --dry-run
There is nothing run to do dry runs, so I gave it a go and it says everything is OK.
I guess this means this blog can survive this algorithm change now.