Let’s Encrypt, TLS-SNI-01, and cPanel

Received a message from Let’s Encrypt about the TLS-SNI-01 validation method expiring:

“Hello,

**Action is required to prevent your Let’s Encrypt certificate renewals from breaking.**

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.”

Looking into this more on a cPanel server I see it’s not using certbot like many Ubuntu servers do, but I’m not seeing the specific type that cPanel/CentOS does use. However there is a forum post on cpanel’s official forums that says it shouldn’t cause any issues:

https://forums.cpanel.net/threads/security-issue-letsencrypt.619567/

“This shouldn’t affect the ability to obtain SSL certificates from Let’s Encrypt using the AutoSSL feature, as AutoSSL uses a different method of requesting/issuing the certificates. “

Since Let’s Encrypt is a common module added to cPanel servers, I don’t see this causing any issues, otherwise it would affect a large number of domains out on the Internet.

Looks like the reason for this warning/change is from a security researcher able to exploit the existing system:

https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

If any other information on how this would affect cpanel servers I will update this article further.

Add Comment