Received a message from Let’s Encrypt about the TLS-SNI-01 validation method expiring:
“Hello,
**Action is required to prevent your Let’s Encrypt certificate renewals from breaking.**
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.”
Looking into this more on a cPanel server I see it’s not using certbot like many Ubuntu servers do, but I’m not seeing the specific type that cPanel/CentOS does use. However there is a forum post on cpanel’s official forums that says it shouldn’t cause any issues:
https://forums.cpanel.net/threads/security-issue-letsencrypt.619567/
“This shouldn’t affect the ability to obtain SSL certificates from Let’s Encrypt using the AutoSSL feature, as AutoSSL uses a different method of requesting/issuing the certificates. “
Since Let’s Encrypt is a common module added to cPanel servers, I don’t see this causing any issues, otherwise it would affect a large number of domains out on the Internet.
Looks like the reason for this warning/change is from a security researcher able to exploit the existing system:
If any other information on how this would affect cpanel servers I will update this article further.