Let's Encrypt: Migrating From TLS-SNI-01
Let's Encrypt is a free service that generates certificates to secure your website. It supports generating different types of certificates, including single-domain and wildcard. In addition, it has numerous methods to authenticate your domain to generate a certificate.
http-01
(Simple HTTP)dns-01
(DNS validation)tls-sni-01
(Validation through the use of a self-signed certificate - now deprecated)
The issue
Unfortunately, a vulnerability was discovered in January of 2018 where it became possible to generate certificates for domains without prior authentication/authorization. For example, certificates could be generated for domains that you do not actually own.
Shortly after, the protocol (tls-sni-01
) was discontinued and most new issuances (new certificates) were blocked from using the protocol to authenticate.
Switching to Simple HTTP
Switching to http-01
or "Simple HTTP" authentication is fairly simple. If you are using certbot-auto
to generate your certificates, Let's Encrypt will have already generated a new certificate or will do so automatically during the next "renewal."
If you are using certbot
, you should use the --preferred-challenge
parameter:
certbot (...) --prefered-challenge
This will tell Let's Encrypt to switch to http-01
.
Switching to DNS validation
If you want to avoid all of this hassle, it is relatively easy to configure Let's Encrypt's DNS validation. When executing certbot
, add --preferred-challenges dns
as a parameter:
certbot -d example.com --manual --preferred-challenges dns
certbot
will print something similar to the following:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
(random_string)
Once this is deployed,
Press ENTER to continue
Once you add the record with your DNS provider, hit Enter. You will then need to set-up a CRON job to automatically renew your certificate. As DNS validation has been used, you will not have to worry about redirection like you would for http-01
, (port 80
to port 443
).