ikkeben
Verified User
Take care of these lestencrypt changes soon please if neeeded! disabled TLS-SNI-01-2
See
https://community.letsencrypt.org/t...ni-01-and-shared-hosting-infrastructure/49996
josh 2018-01-11 22:16:27 UTC #4
We’ve posted a major update to a new thread.
https://community.letsencrypt.org/t...s-sni-and-shared-hosting-infrastructure/50188
TLS-SNI Validation Will Remain Disabled For New Accounts
The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.
Mitigations for Existing TLS-SNI Users
Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.
we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.
For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.
Also a howto for DA if needed o change something?
https://community.letsencrypt.org/t...e-and-nginx-fixes-for-tls-sni-01-outage/50207
For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >
See
https://community.letsencrypt.org/t...ni-01-and-shared-hosting-infrastructure/49996
josh 2018-01-10 09:28:26 UTC #1
At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge type. We quickly confirmed the issue and mitigated it by entirely disabling TLS-SNI-01 validation in Let’s Encrypt. We’re grateful to Frans for finding this issue and reporting it to us.
We’d like to describe the issue and our plans for possibly re-enabling TLS-SNI-01 support.
This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02.
Our Plans
Shortly after the issue was reported, we disabled TLS-SNI-01 in Let’s Encrypt. However, a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. It’s important that we restore service if possible, though we will only do so if we’re confident that the TLS-SNI-01 challenge type is sufficiently secure.
We will post more information and details as our plans progress.
Update #1: We have decided to re-enable the TLS-SNI-01 challenge for certain major providers who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general. We’re doing this as a safe way to restore service faster for a large number of sites.
josh 2018-01-11 22:16:27 UTC #4
We’ve posted a major update to a new thread.
https://community.letsencrypt.org/t...s-sni-and-shared-hosting-infrastructure/50188
TLS-SNI Validation Will Remain Disabled For New Accounts
The ACME TLS-SNI-01 validation method will remain disabled permanently for new accounts by default. Since the same problems apply to TLS-SNI-02, TLS-SNI-02 will remain disabled in our upcoming ACMEv2 API endpoint.
Mitigations for Existing TLS-SNI Users
Our recommendation for users is to begin a migration to the HTTP-01 or DNS-01 validation methods. We are working to provide a reasonable amount of migration time for as many users as possible, while maintaining our commitment to security.
we strongly encourage people to move to HTTP or DNS validation rather than attempt to get on the TLS-SNI-01 whitelist.
For most people using the TLS-SNI validation method, moving to the HTTP validation method will be the easiest path forward.
Also a howto for DA if needed o change something?
https://community.letsencrypt.org/t...e-and-nginx-fixes-for-tls-sni-01-outage/50207
For example changes problems with this updated script who used this or parts form this one https://github.com/certbot/certbot >
Known issues with these changes as of 2018-01-11:
the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the /.well-known/acme-challenges/ directory
the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not listen on port 80
the Nginx plugin may not succeed in using HTTP-01 if your config uses a non-standard port and you haven’t supplied a --http-01-port flag.
the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.
Last edited: