差分

このページの2つのバージョン間の差分を表示します。

--- サーバ:ssl証明書_let_s_encrypt:tls-sni-01の脆弱性 [2019/03/12 11:27]
yusuke_komori 作成
+++ — (現在)
@@ 行 1: / 行 1: @@
-====== TLS-SNI-01の脆弱性「Action required: Let's Encrypt certificate renewals」対応 ======
-Let's Encrypt より「Action required: Let's Encrypt certificate renewals」というタイトルで以下のメールが届いた。
-<code:none nolinenums>
-Hello,
-Action may be required to prevent your Let's Encrypt certificate renewals from
-breaking.
-If you already received a similar e-mail, this one contains updated information.
-Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
-certificate in the past 7 days. Below is a list of names and IP addresses
-validated (max of one per account):
- example.com (XX.XX.XX.XX) on 2019-03-08
-TLS-SNI-01 validation is reaching end-of-life. It will stop working
-permanently on March 13th, 2019. Any certificates issued before then will
-continue to work for 90 days after their issuance date.
-You need to update your ACME client to use an alternative validation method
-(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
-will break and existing certificates will start to expire.
-Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
-test whether your system will work after March 13, you can run against
-staging: https://letsencrypt.org/docs/staging-environment/
-If you're a Certbot user, you can find more information here:
-https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
-Our forum has many threads on this topic. Please search to see if your question
-has been answered, then open a new thread if it has not:
-https://community.letsencrypt.org/
-For more information about the TLS-SNI-01 end-of-life, please see our API
-announcement:
-https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
-Thank you,
-Let's Encrypt Staff
-</code>
-TLS-SNI-01 に脆弱性が見つかったので、ACME のクライアントをアップデートする必要がある、ということらしい。
-詳しい情報は以下のURLにあるとのこと。\\
-https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
-Cerbot のバージョンが 0.28 以上で、かつドライランが成功すればよい模様。\\
-試したサーバは以下\\
-　CentOS 7.5\\
-　Apache 2.4.6\\
-<code>
-# まずは、certbot と python のバージョン確認
-$ certbot --version
-certbot 0.27.1
-$ python -V
-Python 2.7.5
-# ドライランを試してみる
-$ sudo certbot renew --dry-run
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Processing /etc/letsencrypt/renewal/example.com.conf
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Cert not due for renewal, but simulating renewal for dry run
-Plugins selected: Authenticator apache, Installer apache
-Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
-Renewing an existing certificate
-Performing the following challenges:
-http-01 challenge for example.com
-Waiting for verification...
-Cleaning up challenges
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-new certificate deployed with reload of apache server; fullchain is
-/etc/letsencrypt/live/example.com/fullchain.pem
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-** DRY RUN: simulating 'certbot renew' close to cert expiry
-**          (The test certificates below have not been saved.)
-Congratulations, all renewals succeeded. The following certs have been renewed:
-  /etc/letsencrypt/live/example.com/fullchain.pem (success)
-** DRY RUN: simulating 'certbot renew' close to cert expiry
-**          (The test certificates above have not been saved.)
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Running post-hook command: apachectl graceful
-IMPORTANT NOTES:
- - Your account credentials have been saved in your Certbot
-   configuration directory at /etc/letsencrypt. You should make a
-   secure backup of this folder now. This configuration directory will
-   also contain certificates and private keys obtained by Certbot so
-   making regular backups of this folder is ideal.
-# cerbotが 0.27 のままなんだけど、「http-01」形式で成功しているような気がするけど何故だろう？
-# 分からないものの、バージョンアップをしておいた方がよいのは確かだと思われるので yum update をかける
-$ sudo yum -y --enablerepo=epel update certbot python2-acme
-# 再度バージョンを確認
-$ certbot --version
-certbot 0.31.0
-$ python -V
-Python 2.7.5
-# もう一度ドライランを試す
-$ sudo certbot renew --dry-run
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Processing /etc/letsencrypt/renewal/example.com.conf
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Cert not due for renewal, but simulating renewal for dry run
-Plugins selected: Authenticator apache, Installer apache
-Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
-Renewing an existing certificate
-Performing the following challenges:
-http-01 challenge for example.com
-Waiting for verification...
-Cleaning up challenges
-Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-new certificate deployed with reload of apache server; fullchain is
-/etc/letsencrypt/live/example.com/fullchain.pem
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-** DRY RUN: simulating 'certbot renew' close to cert expiry
-**          (The test certificates below have not been saved.)
-Congratulations, all renewals succeeded. The following certs have been renewed:
-  /etc/letsencrypt/live/example.com/fullchain.pem (success)
-** DRY RUN: simulating 'certbot renew' close to cert expiry
-**          (The test certificates above have not been saved.)
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Running post-hook command: apachectl graceful
-# さっきと結果は変わらず「http-01」で成功
-</code>
-先程のリンク先に書かれていた以下のコマンド。tls-sni-01 の削除は行っていないけど大丈夫っぽい？
-<code>
-sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
-</code>
-cerbot バージョンアップ前から、ドライランで「http-01」が使われていたりと、分からないことだらけでしたが、ひとまず結果を見る限りでは大丈夫そうなので、しらばくこれで様子を見てみます。

ゆーものメモ帳

ユーザ用ツール

サイト用ツール

差分

ページ用ツール