Let's Encrypt: Migrating From TLS-SNI-01
Let's Encrypt is a free service that generates certificates to secure your website. It supports generating different types of certificates, including single-domain and wildcard. In addition, it has numerous methods to authenticate your domain to generate a certificate.
tls-sni-01(Validation through the use of a self-signed certificate - now deprecated)
Unfortunately, a vulnerability was discovered in January of 2018 where it became possible to generate certificates for domains without prior authentication/authorization. For example, certificates could be generated for domains that you do not actually own.
Shortly after, the protocol (
tls-sni-01) was discontinued and most new issuances (new certificates) were blocked from using the protocol to authenticate.
Switching to Simple HTTP
http-01 or "Simple HTTP" authentication is fairly simple. If you are using
certbot-auto to generate your certificates, Let's Encrypt will have already generated a new certificate or will do so automatically during the next "renewal."
If you are using
certbot, you should use the
certbot (...) --prefered-challenge
This will tell Let's Encrypt to switch to
Switching to DNS validation
If you want to avoid all of this hassle, it is relatively easy to configure Let's Encrypt's DNS validation. When executing
--preferred-challenges dns as a parameter:
certbot -d example.com --manual --preferred-challenges dns
certbot will print something similar to the following:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
Once this is deployed,
Press ENTER to continue
Once you add the record with your DNS provider, hit Enter. You will then need to set-up a CRON job to automatically renew your certificate. As DNS validation has been used, you will not have to worry about redirection like you would for
80 to port