Netgate SG-1000 microFirewall

Author Topic: HEADS UP for ACME package users: Let's Encrypt disabling TLS-SNI-01 / TLS-SNI-02  (Read 781 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21770
  • Karma: +1505/-26
    • View Profile
First, this is not specific to pfSense or our ACME package but to Let's Encrypt and ACME clients in general.

Security researcher Frans RosÚn found a flaw in the ACME specification for TLS-SNI-01 and TLS-SNI-02 in cases where shared hosting operates certain less-than-ideal ways with regard to certificates and serving content on port 443. Let's Encrypt followed the spec, so it was possible in certain specific shared hosting cases to obtain a certificate for another domain on the same shared hosting service. Once Let's Encrypt was alerted and confirmed the problem, they shut down TLS-SNI-01/02 validation. They have since re-enabled it in a limited capacity, mostly for renewals. All of the details are here:

What that means for LE/ACME users is that if you currently use "Standalone TLS Server" mode to validate certificates, you should move to another method as soon as possible, for example, use Standalone HTTP Server or a DNS method. Even though the problem only affects shared hosting scenarios, the specification doesn't have any way to isolate that scenario.

It will be possible to renew via TLS-SNI-01 for a short time yet, Let's Encrypt has not announced a cutoff date, but I would not count on it being active for long. Switch ASAP.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!