Cette désactivation entrera pleinement en vigueur le 13 Mars 2019, après cette date tous les certificats créés avec la TLS-SNI-01 ne pourrons être renouvelés comme indiqué dans le courriel qu j’ai reçu hier matin.
Hello,
Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.If you already received a similar e-mail, this one contains updated
information.Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):domaine.mondomaine.tld (xxx.xxx.xxx.xxx) on 2018-12-23
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.Our staging environment already has TLS-SNI-01 disabled, so if you’d like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/If you’re a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209Thank you,
Let’s Encrypt Staff
Ce certificat doit être renouvelé avant 23 mars il me faut agir avant de me retrouver avec une belle erreur. Je commence donc à vérifier si je suis à la version 0.28 de certbot.
certbot --version
Malheureusement je m’aperçois que je suis encore en version 0.23 sur mon Ubuntu 18.04. J’ajoute le PPA de certbot pour le mettre à jour
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get full-upgrade
La bonne version de certbot installée, j’effectue une simulation de renouvellement afin de constater que tout fonctionne correctement. Ne pas oublier d’arrêter le processus du serveur web (nginx dans mon cas) et de le relancer à la fin.
root@mail:~ systemctl stop nginx
root@mail:~ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mondomaine.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mondomaine.tld
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mondomaine.tld/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mondomaine.tld/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
La simulation est un succès je suis tranquille lorsque je devrai renouveler ce certificat
Source : https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Une idée ? Un commentaire ? Une coquille dans le billet ? Discutons-en sur mastodon