TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**

I got the notice above from Letsencrypt recently. It’s possible my memory is bad but I think I’m only using caddy with Letsencrypt.

Any idea if this is this a caddy related issue and if so will upgrading likely fix it?

I’m using caddy 0.10.10

Related Link: March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support - API Announcements - Let's Encrypt Community Support

I’d post logs but I’m a linux noob, I can’t find them. I checked /var/log/syslog and a few other logs in there but I see nothing related to cert renewal. The explicit logs for errors and requests only seem to have entries for pages served.

I start caddy like this if it’s helpful to help me know where the cert relevant logs are.

/usr/local/bin/caddy -log stdout -agree=true -conf=/var/www/Caddyfile -root=/var/tmp

I’m on ubuntu 16.04

I got the same “strange” email from them and I have the same questions.

Thanks

FYI, Letsencrypt said they will follow up with new email announcements that tell which domains.

Still off the top of my head I’m only using caddy unless I somehow forgot a server :stuck_out_tongue:

The latest versions of Caddy do not use TLS-SNI, and the latest releases support its successor, the TLS-ALPN challenge.

Wait until Caddy 0.11.3 is released, then upgrade to that.

But even without upgrading, the HTTP challenge will continue to work. (Of course, I still strongly recommend upgrading.)

1 Like

I am replying here as I have the same issue. Not sure about the version (compiled from source a year ago).

Could this maybe related to configuration ? My configuration is rather explicit:

http://mydomain.com {
redir https://mydomain.com{uri}
tls off
}
https://mydomain.com {
tls …

}

Would this cause HTTP challenge to fail, falling back to SNI challenge ? ( because in this case the https challenge is redirected to https ? )

I would assume moving back to simple configuration to mydomain.com {…} without redirect would solve it ?

Don’t worry, there’s nothing you can put in your Caddyfile that will break the HTTP challenge for your Caddy sites.

tls off would break HTTP challenges, along with every other challenge, by disabling ACME cert requisition :smiley:

But on a serious note, the only way to disable specific challenges is with a command line flag passed to Caddy at launch, e.g. -disable-http-challenge.

(P.S. shouldn’t those flags be updated so we can disable the TLS-ALPN challenge? It’s not like the -disable-tls-sni-challenge flag would do anything anymore anyway.)

Yeah, I’ve made that change a while ago and will roll out the new docs with the next release.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.