enjalot / blockbuilder

Create, fork and edit d3.js code snippets for use with bl.ocks.org right in the browser, no terminal required.
Other
323 stars 59 forks source link

stop using TLS-SNI-01 for domain validation so https will keep working #230

Closed micahstubbs closed 5 years ago

micahstubbs commented 5 years ago

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals from breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. Below is a list of names and IP addresses validated (max of one per account):

blockbuilder.org (35.239.22.31) on 2018-12-03

TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to test whether your system will work after February 13, you can run against staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your question has been answered, then open a new thread if it has not: https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API announcement: https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you, Let's Encrypt Staff

micahstubbs commented 5 years ago

got this working by following the instructions at these two links.

first I update certbot:

https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

then I run the command in this post to disable the old domain validation method:

https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

micahstubbs commented 5 years ago

here are the exact commands from those two posts that I ran on our blockbuilder-frontend server:

  # update certbot
  sudo apt-get update
  sudo apt-get install software-properties-common
  sudo add-apt-repository universe
  sudo add-apt-repository ppa:certbot/certbot
  sudo apt-get update
  sudo apt-get install certbot python-certbot-nginx 

  # check the certbot version
  certbot --version || /path/to/certbot-auto --version
   # $ certbot 0.28.0

  # do the fix
  sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc
/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

  # test certbot to see if the fix worked
  sudo certbot renew --dry-run
micahstubbs commented 5 years ago

et voila, it works!

ubuntu@blockbuilder-frontend:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/blockbuilder.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not open file: /etc/nginx/sites-enabled/default
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blockbuilder.org
Waiting for verification...
Cleaning up challenges
Could not open file: /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/blockbuilder.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/blockbuilder.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.