Results 1 to 5 of 5

Thread: Take care of these lestencrypt changes soon please if neeeded! disabled TLS-SNI-01

  1. #1
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    332

    Take care of these lestencrypt changes soon please if neeeded! disabled TLS-SNI-01-2

    See
    https://community.letsencrypt.org/t/...tructure/49996

    josh 2018-01-10 09:28:26 UTC #1

    At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge type. We quickly confirmed the issue and mitigated it by entirely disabling TLS-SNI-01 validation in Let’s Encrypt. We’re grateful to Frans for finding this issue and reporting it to us.

    We’d like to describe the issue and our plans for possibly re-enabling TLS-SNI-01 support.
    This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02.

    Our Plans

    Shortly after the issue was reported, we disabled TLS-SNI-01 in Let’s Encrypt. However, a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. It’s important that we restore service if possible, though we will only do so if we’re confident that the TLS-SNI-01 challenge type is sufficiently secure.
    We will post more information and details as our plans progress.

    Update #1: We have decided to re-enable the TLS-SNI-01 challenge for certain major providers who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general. We’re doing this as a safe way to restore service faster for a large number of sites.
    josh 2018-01-11 22:16:27 UTC #4

    We’ve posted a major update to a new thread.

    https://community.letsencrypt.org/t/...tructure/50188

    TLS-SNI Validation Will Remain Disabled For New Accounts

    The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.

    Mitigations for Existing TLS-SNI Users

    Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.

    we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.

    For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.

    Also a howto for DA if needed o change something?

    https://community.letsencrypt.org/t/...1-outage/50207

    For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >
    Known issues with these changes as of 2018-01-11:

    the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
    the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the /.well-known/acme-challenges/ directory
    the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not listen on port 80
    the Nginx plugin may not succeed in using HTTP-01 if your config uses a non-standard port and you haven’t supplied a --http-01-port flag.
    the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.
    Last edited by ikkeben; 01-12-2018 at 12:12 AM. Reason: maybe urgent ?
    DUTCH GERMAN, GERMAN DUTCH

  2. #2
    Join Date
    Jul 2006
    Posts
    85
    I'm not sure DA is affected. I checked the letsencypt.sh script and it is using http-01 already.

    CHALLENGETYPE="http-01"

    Kevin

    Quote Originally Posted by ikkeben View Post
    See
    https://community.letsencrypt.org/t/...tructure/49996






    josh 2018-01-11 22:16:27 UTC #4

    We’ve posted a major update to a new thread.

    https://community.letsencrypt.org/t/...tructure/50188

    TLS-SNI Validation Will Remain Disabled For New Accounts

    The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.

    Mitigations for Existing TLS-SNI Users

    Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.

    we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.

    For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.

    Also a howto for DA if needed o change something?

    https://community.letsencrypt.org/t/...1-outage/50207

    For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >

  3. #3
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    332
    Yep DA but i don't know if the DA script is somewhat the same as certbot script they have problems also with http-01.
    Known issues with these changes as of 2018-01-11:

    the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
    the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the /.well-known/acme-challenges/ directory
    the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not listen on port 80
    the Nginx plugin may not succeed in using HTTP-01 if your config uses a non-standard port and you haven’t supplied a --http-01-port flag.
    the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.
    And also if someone uses that certbot or any other script while Hoster ....
    DUTCH GERMAN, GERMAN DUTCH

  4. #4
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,582
    2018 isn't getting off to a good start, is it....... Seen more flaws than Burj Khalifa

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,882
    Just created a new cert for a domain on a directadmin server and haven't found anything wrong here. A cert was created fine.

    Directadmin does not use those plugins and uses its own script to communicate with Let's Encrypt servers with http-01 challenge type, so I believe we are safe here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •