Take care of these lestencrypt changes soon please if neeeded! disabled TLS-SNI-01

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,557
Location
Netherlands Germany
Take care of these lestencrypt changes soon please if neeeded! disabled TLS-SNI-01-2

See
https://community.letsencrypt.org/t...ni-01-and-shared-hosting-infrastructure/49996

josh 2018-01-10 09:28:26 UTC #1

At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge type. We quickly confirmed the issue and mitigated it by entirely disabling TLS-SNI-01 validation in Let’s Encrypt. We’re grateful to Frans for finding this issue and reporting it to us.

We’d like to describe the issue and our plans for possibly re-enabling TLS-SNI-01 support.

This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02.

Our Plans

Shortly after the issue was reported, we disabled TLS-SNI-01 in Let’s Encrypt. However, a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. It’s important that we restore service if possible, though we will only do so if we’re confident that the TLS-SNI-01 challenge type is sufficiently secure.
We will post more information and details as our plans progress.

Update #1: We have decided to re-enable the TLS-SNI-01 challenge for certain major providers who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general. We’re doing this as a safe way to restore service faster for a large number of sites.

josh 2018-01-11 22:16:27 UTC #4

We’ve posted a major update to a new thread.

https://community.letsencrypt.org/t...s-sni-and-shared-hosting-infrastructure/50188

TLS-SNI Validation Will Remain Disabled For New Accounts

The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.

Mitigations for Existing TLS-SNI Users

Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.

we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.

For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.

Also a howto for DA if needed o change something?

https://community.letsencrypt.org/t...e-and-nginx-fixes-for-tls-sni-01-outage/50207

For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >
Known issues with these changes as of 2018-01-11:

the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the /.well-known/acme-challenges/ directory
the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not listen on port 80
the Nginx plugin may not succeed in using HTTP-01 if your config uses a non-standard port and you haven’t supplied a --http-01-port flag.
the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.
 
Last edited:
I'm not sure DA is affected. I checked the letsencypt.sh script and it is using http-01 already.

CHALLENGETYPE="http-01"

Kevin

See
https://community.letsencrypt.org/t...ni-01-and-shared-hosting-infrastructure/49996






josh 2018-01-11 22:16:27 UTC #4

We’ve posted a major update to a new thread.

https://community.letsencrypt.org/t...s-sni-and-shared-hosting-infrastructure/50188

TLS-SNI Validation Will Remain Disabled For New Accounts

The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.

Mitigations for Existing TLS-SNI Users

Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.

we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.

For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.

Also a howto for DA if needed o change something?

https://community.letsencrypt.org/t...e-and-nginx-fixes-for-tls-sni-01-outage/50207

For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >
 
Yep DA but i don't know if the DA script is somewhat the same as certbot script they have problems also with http-01.
Known issues with these changes as of 2018-01-11:

the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the /.well-known/acme-challenges/ directory
the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not listen on port 80
the Nginx plugin may not succeed in using HTTP-01 if your config uses a non-standard port and you haven’t supplied a --http-01-port flag.
the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.

And also if someone uses that certbot or any other script while Hoster ....
 
Just created a new cert for a domain on a directadmin server and haven't found anything wrong here. A cert was created fine.

Directadmin does not use those plugins and uses its own script to communicate with Let's Encrypt servers with http-01 challenge type, so I believe we are safe here.
 
Back
Top