certbot验证方法TLS-SNI-01即将过时

Let’s Encrypt因为安全性问题已经将TLS-SNI-01验证方法标记为过时,而且很快就不能使用了。

今天renew站点的证书时,突然提示开始使用http-01验证方式,然鹅80端口并没有配置,所以毫无悬念的更新失败了。

临时更改了renew的配置文件/etc/letsencrypt/renewal/xxx.com.conf,在renewalparams节添加参数

pref_challs=tls-sni-01

或者也可以在命令行添加

--preferred-challenges tls-sni-01

然后renew证书成功,但出现deprecated提示:

TLS-SNI-01 is deprecated, and will stop working soon.

下次renew证书就要改用http-01或者dns-01了。

References:
[1]Upcoming TLS-SNI Deprecation in Certbot
[2]Let’s Encrypt: Migrating From TLS-SNI-01

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.