Knowledgebase

Let's Encrypt: Migrating From TLS-SNI-01 Print

  • 0

Let's Encrypt is a free service that generates certificates to secure your website. It supports generating different types of certificates, including single-domain and wildcard. In addition, it has numerous methods to authenticate your domain to generate a certificate.

  • http-01 (Simple HTTP)
  • dns-01 (DNS validation)
  • tls-sni-01 (Validation through the use of a self-signed certificate - now deprecated)

The issue

Unfortunately, a vulnerability was discovered in January of 2018 where it became possible to generate certificates for domains without prior authentication/authorization. For example, certificates could be generated for domains that you do not actually own.

Shortly after, the protocol (tls-sni-01) was discontinued and most new issuances (new certificates) were blocked from using the protocol to authenticate.

Switching to Simple HTTP

Switching to http-01 or "Simple HTTP" authentication is fairly simple. If you are using certbot-auto to generate your certificates, Let's Encrypt will have already generated a new certificate or will do so automatically during the next "renewal."

If you are using certbot, you should use the --preferred-challenge parameter:

certbot (...) --prefered-challenge

This will tell Let's Encrypt to switch to http-01.

Switching to DNS validation

If you want to avoid all of this hassle, it is relatively easy to configure Let's Encrypt's DNS validation. When executing certbot, add --preferred-challenges dns as a parameter:

certbot -d example.com --manual --preferred-challenges dns

certbot will print something similar to the following:

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

(random_string)

Once this is deployed,
Press ENTER to continue

Once you add the record with your DNS provider, hit Enter. You will then need to set-up a CRON job to automatically renew your certificate. As DNS validation has been used, you will not have to worry about redirection like you would for http-01, (port 80 to port 443).

Let's Encrypt is a free service that generates certificates to secure your website. It supports generating different types of certificates, including single-domain and wildcard. In addition, it has numerous methods to authenticate your domain to generate a certificate. http-01 (Simple HTTP) dns-01 (DNS validation) tls-sni-01 (Validation through the use of a self-signed certificate - now deprecated) The issue Unfortunately, a vulnerability was discovered in January of 2018 where it became possible to generate certificates for domains without prior authentication/authorization. For example, certificates could be generated for domains that you do not actually own. Shortly after, the protocol (tls-sni-01) was discontinued and most new issuances (new certificates) were blocked from using the protocol to authenticate. Switching to Simple HTTP Switching to http-01 or "Simple HTTP" authentication is fairly simple. If you are using certbot-auto to generate your certificates, Let's Encrypt will have already generated a new certificate or will do so automatically during the next "renewal." If you are using certbot, you should use the --preferred-challenge parameter: certbot (...) --prefered-challenge This will tell Let's Encrypt to switch to http-01. Switching to DNS validation If you want to avoid all of this hassle, it is relatively easy to configure Let's Encrypt's DNS validation. When executing certbot, add --preferred-challenges dns as a parameter: certbot -d example.com --manual --preferred-challenges dns certbot will print something similar to the following: Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: (random_string) Once this is deployed, Press ENTER to continue Once you add the record with your DNS provider, hit ENTER. You will then need to set-up a CRON job to automatically renew your certificate. As DNS validation has been used, you will not have to worry about redirection like you would for http-01, (port 80 to port 443).

Was this answer helpful?
Back

Powered by WHMCompleteSolution