Adjust the Let's Encrypt certificate renewal (before Mar 13th)

[alanbchristie]

From an email (29-Jan 02:57)...

TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to test whether your system will work after February 13, you can run against staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your question has been answered, then open a new thread if it has not: https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API announcement: https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you, Let's Encrypt Staff

[alanbchristie]

New Certbot installation have been tested (with the okd-orchestrator) and the solution may be as simple as making sure you're using the latest Certbot. See: -

https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

[tdudgeon]

We are now no longer using Let's Encrypt for the API certs and instead using a cert that is valid for 2 years.