Let’s EncryptのTLS-SNI-01終了対応

本日Let’s Encryptからメールが来ました。

Action required: Let’s Encrypt certificate renewals

Hello,

Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.

If you already received a similar e-mail, this one contains updated
information.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):

aoboshi.org (35.230.123.50) on 2019-01-18

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.

You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.

Our staging environment already has TLS-SNI-01 disabled, so if you’d like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/

If you’re a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
Let’s Encrypt Staff

なんだと思って調べたら、ドメイン検証方式「TLS-SNI-01」に脆弱性が見つかり、2月13日をもってその方式を使用できなくするので、60日以内にその方式でSSL証明書のアップデートをしていたユーザに対して別方式を使用するよう警告が着たようでした。

Let’s Encryptの管理プログラム「certbot」を0.28以上にアップデートすればいいらしいので、確認をしたところ、

root@wordpress-vm:~# certbot –version

certbot 0.10.2

root@wordpress-vm:~#

と古かったので「apt-get dist-upgrade」でアップデートし、(dist-をつけないと「The following packages have been kept back:」でアップデートされない)

root@wordpress-vm:~# certbot –version

certbot 0.28.0

root@wordpress-vm:~# 

アップデートされました。

その後Apacheを落として、証明書の更新が出来るかを試したところ、

 root@wordpress-vm:~# certbot renew –dry-run –preferred-challenges http

Saving debug log to /var/log/letsencrypt/letsencrypt.log

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Processing /etc/letsencrypt/renewal/aoboshi.org.conf

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator standalone, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for aoboshi.org

Waiting for verification…

Cleaning up challenges

 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

new certificate deployed with reload of apache server; fullchain is

/etc/letsencrypt/live/aoboshi.org/fullchain.pem

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Processing /etc/letsencrypt/renewal/www.aoboshi.org.conf

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for www.aoboshi.org

Waiting for verification…

Cleaning up challenges

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/www.aoboshi.org/fullchain.pem

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

** DRY RUN: simulating ‘certbot renew’ close to cert expiry

**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

  /etc/letsencrypt/live/aoboshi.org/fullchain.pem (success)

  /etc/letsencrypt/live/www.aoboshi.org/fullchain.pem (success)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry

**          (The test certificates above have not been saved.)

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

正常にアップデートできる結果になりました。