TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**


(Greggman) #1

I got the notice above from Letsencrypt recently. It’s possible my memory is bad but I think I’m only using caddy with Letsencrypt.

Any idea if this is this a caddy related issue and if so will upgrading likely fix it?

I’m using caddy 0.10.10

Related Link: https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

I’d post logs but I’m a linux noob, I can’t find them. I checked /var/log/syslog and a few other logs in there but I see nothing related to cert renewal. The explicit logs for errors and requests only seem to have entries for pages served.

I start caddy like this if it’s helpful to help me know where the cert relevant logs are.

/usr/local/bin/caddy -log stdout -agree=true -conf=/var/www/Caddyfile -root=/var/tmp

I’m on ubuntu 16.04


(Noam) #2

I got the same “strange” email from them and I have the same questions.

Thanks


(Greggman) #3

FYI, Letsencrypt said they will follow up with new email announcements that tell which domains.

Still off the top of my head I’m only using caddy unless I somehow forgot a server :stuck_out_tongue:


(Matt Holt) #4

The latest versions of Caddy do not use TLS-SNI, and the latest releases support its successor, the TLS-ALPN challenge.

Wait until Caddy 0.11.3 is released, then upgrade to that.

But even without upgrading, the HTTP challenge will continue to work. (Of course, I still strongly recommend upgrading.)


(Sugarcube) #5

I am replying here as I have the same issue. Not sure about the version (compiled from source a year ago).

Could this maybe related to configuration ? My configuration is rather explicit:

http://mydomain.com {
redir https://mydomain.com{uri}
tls off
}
https://mydomain.com {
tls …

}

Would this cause HTTP challenge to fail, falling back to SNI challenge ? ( because in this case the https challenge is redirected to https ? )

I would assume moving back to simple configuration to mydomain.com {…} without redirect would solve it ?


(Matt Holt) #6

Don’t worry, there’s nothing you can put in your Caddyfile that will break the HTTP challenge for your Caddy sites.


(Matthew Fay) #7

tls off would break HTTP challenges, along with every other challenge, by disabling ACME cert requisition :smiley:

But on a serious note, the only way to disable specific challenges is with a command line flag passed to Caddy at launch, e.g. -disable-http-challenge.

(P.S. shouldn’t those flags be updated so we can disable the TLS-ALPN challenge? It’s not like the -disable-tls-sni-challenge flag would do anything anymore anyway.)


(Matt Holt) #8

Yeah, I’ve made that change a while ago and will roll out the new docs with the next release.