greggman
(Greggman)
January 21, 2019, 9:07am
1
I got the notice above from Letsencrypt recently. It’s possible my memory is bad but I think I’m only using caddy with Letsencrypt.
Any idea if this is this a caddy related issue and if so will upgrading likely fix it?
I’m using caddy 0.10.10
Related Link: March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support - API Announcements - Let's Encrypt Community Support
I’d post logs but I’m a linux noob, I can’t find them. I checked /var/log/syslog and a few other logs in there but I see nothing related to cert renewal. The explicit logs for errors and requests only seem to have entries for pages served.
I start caddy like this if it’s helpful to help me know where the cert relevant logs are.
/usr/local/bin/caddy -log stdout -agree=true -conf=/var/www/Caddyfile -root=/var/tmp
I’m on ubuntu 16.04
job_noam
(Noam)
January 21, 2019, 11:41am
2
I got the same “strange” email from them and I have the same questions.
Thanks
greggman
(Greggman)
January 21, 2019, 3:12pm
3
FYI, Letsencrypt said they will follow up with new email announcements that tell which domains.
Still off the top of my head I’m only using caddy unless I somehow forgot a server
matt
(Matt Holt)
January 21, 2019, 6:36pm
4
The latest versions of Caddy do not use TLS-SNI, and the latest releases support its successor, the TLS-ALPN challenge.
Wait until Caddy 0.11.3 is released, then upgrade to that.
But even without upgrading, the HTTP challenge will continue to work. (Of course, I still strongly recommend upgrading.)
1 Like
sugarcube
(Sugarcube)
January 28, 2019, 2:14pm
5
I am replying here as I have the same issue. Not sure about the version (compiled from source a year ago).
Could this maybe related to configuration ? My configuration is rather explicit:
http://mydomain.com {
redir https://mydomain.com {uri}
tls off
}
https://mydomain.com {
tls …
…
}
Would this cause HTTP challenge to fail, falling back to SNI challenge ? ( because in this case the https challenge is redirected to https ? )
I would assume moving back to simple configuration to mydomain.com {…} without redirect would solve it ?
matt
(Matt Holt)
January 29, 2019, 6:12am
6
Don’t worry, there’s nothing you can put in your Caddyfile that will break the HTTP challenge for your Caddy sites.
tls off
would break HTTP challenges, along with every other challenge, by disabling ACME cert requisition
But on a serious note, the only way to disable specific challenges is with a command line flag passed to Caddy at launch, e.g. -disable-http-challenge
.
(P.S. shouldn’t those flags be updated so we can disable the TLS-ALPN challenge? It’s not like the -disable-tls-sni-challenge
flag would do anything anymore anyway.)
matt
(Matt Holt)
February 2, 2019, 10:04pm
8
Yeah, I’ve made that change a while ago and will roll out the new docs with the next release.
1 Like
system
(system)
Closed
May 3, 2019, 10:04pm
9
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.