ユーザ用ツール

サイト用ツール


サイドバー

サーバ:ssl証明書:tls-sni-01の脆弱性_let_s_encrypt

TLS-SNI-01の脆弱性「Action required: Let's Encrypt certificate renewals」対応

Let's Encrypt より「Action required: Let's Encrypt certificate renewals」というタイトルで以下のメールが届いた。

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals from
breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 7 days. Below is a list of names and IP addresses
validated (max of one per account):

 example.com (XX.XX.XX.XX) on 2019-03-08

TLS-SNI-01 validation is reaching end-of-life. It will stop working
permanently on March 13th, 2019. Any certificates issued before then will
continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
test whether your system will work after March 13, you can run against
staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life, please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
Let's Encrypt Staff

TLS-SNI-01 に脆弱性が見つかったので、ACME のクライアントをアップデートする必要がある、ということらしい。 詳しい情報は以下のURLにあるとのこと。
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Cerbot のバージョンが 0.28 以上で、かつドライランが成功すればよい模様。
試したサーバは以下
 CentOS 7.5
 Apache 2.4.6

# まずは、certbot と python のバージョン確認
$ certbot --version
certbot 0.27.1

$ python -V
Python 2.7.5

# ドライランを試してみる
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: apachectl graceful

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

# cerbotが 0.27 のままなんだけど、「http-01」形式で成功しているような気がするけど何故だろう?
# 分からないものの、バージョンアップをしておいた方がよいのは確かだと思われるので yum update をかける
$ sudo yum -y --enablerepo=epel update certbot python2-acme

# 再度バージョンを確認
$ certbot --version
certbot 0.31.0

$ python -V
Python 2.7.5

# もう一度ドライランを試す
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: apachectl graceful

# さっきと結果は変わらず「http-01」で成功

先程のリンク先に書かれていた以下のコマンド。tls-sni-01 の削除は行っていないけど大丈夫っぽい?

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

cerbot バージョンアップ前から、ドライランで「http-01」が使われていたりと、分からないことだらけでしたが、ひとまず結果を見る限りでは大丈夫そうなので、しらばくこれで様子を見てみます。

コメント

コメントを入力. Wiki文法が有効です:
 
サーバ/ssl証明書/tls-sni-01の脆弱性_let_s_encrypt.txt · 最終更新: 2019/04/01 12:04 by yusuke_komori