-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kontena certificate authorize --type tls-sni-01 fails with challenge: LE gave back empty tls-sni-01 challenge!?!? #3209
Comments
Current situation is that LE is now white-listing specific providers known to perform sufficient validation for certs. I don't think we're likely to see TLS-SNI challenges being available for use by Kontena users again at any time in the near future, and most likely not before LE certificates deployed by Kontena users will start failing to renew and expire. We are currently working on fast-tracking
|
Status Quo is that all
This means that certificates requested using Testing for
|
Milestoning to 1.5 because this can be closed once 1.5.0 is available and kontena/docs#71 is merged, allowing users to move from |
Closing as 1.5 is available and defaults to |
We should probably still keep BTW, here's the post-disclosure writeup, it seems like domains hosted on Heroku and AWS CloudFront were affected: https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/ |
This is because LE has disabled all TLS-SNI based challenges as of January 10, 2018 02:16 UTC: https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241
This is a mitigation for a security weakness in how service providers do not sufficiently validate custom user-provided certificates deployed to shared infrastructure, allowing other users of the same provider to illegitimately validate domains owned by other customers of the same service provider: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
This affects automated LE certificate renewals by the Kontena server, and those certificates may expire unless LE either restores TLS-SNI support, or the cert domains are re-validated using some other method.
The current workaround for Kontena users is to use
kontena certificate authorize --type dns-01
, with either manual or automated mechanisms to update their DNS TXT records for renewals.Long-term, it's looking fairly clear that Kontena needs to also support the more popular and widely used
http-01
mechanism, which is far less likely to be unexpectedly disabled than the relatively unpopulartls-sni-*
mechanisms.The text was updated successfully, but these errors were encountered: