Ubuntu
python-certbot package

Upgrade Certbot to version 0.28 or higher to stop using TLS-SNI-01

  1. Bionic (18.04)
  2. Bug #1812366
Bug #1812366 reported by Dominic Raferd
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
python-certbot (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
New
Undecided
Unassigned

Bug Description

This version (0.23.0-1) is now outdated and I believe this is why I receive warning mails from letsencrypt like this:

Hello,

**Action is required to prevent your Let's Encrypt certificate renewals from breaking.**

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:

  https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
  Let's Encrypt Staff

Revision history for this message
Ricardo (rjpinto) wrote :

Just wanted to reinforce that there is a high probability that all Ubuntu LTS servers will start failing to renew Let's Encrypt certificates as the minimum version for certbot should be 0.28 to fix TLS-SNI-01 problems.
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

I am sure I am not the only one using only Let's Encrypt for multiple sites and servers. Would be really cool if you would backport the package from disco to cosmic and bionic and prevent the TLS apocalypse. :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-certbot (Ubuntu):
status: New → Confirmed
Revision history for this message
Ricardo (rjpinto) wrote :

The workarond is to use packages for Ubuntu from the following PPA
https://launchpad.net/~certbot/+archive/ubuntu/certbot

Mathew Hodson (mhodson)
tags: added: bionic
tags: added: upgrade-software-version
Mathew Hodson (mhodson)
summary: - outdated version, please update
+ Upgrade Certbot to version 0.28 or higher to stop using TLS-SNI-01
Mathew Hodson (mhodson)
Changed in python-certbot (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.