Merge remote-tracking branch 'georgio/TLS-SNI-01-Deprecation-1' into no-more-tls-sni-01

2026-01-26 07:41:33 +03:00 · 2018-12-07 13:36:49 -08:00
parent bc9865371a 9fa0a58545
commit ecc1c5ddb5
1 changed files with 9 additions and 25 deletions
--- a/docs/using.rst
+++ b/docs/using.rst
@@ -44,14 +44,10 @@ a combination_ of distinct authenticator and installer plugins.
 =========== ==== ==== =============================================================== =============================
 Plugin      Auth Inst Notes                                                           Challenge types (and port)
 =========== ==== ==== =============================================================== =============================
-apache_     Y    Y    | Automates obtaining and installing a certificate with Apache  tls-sni-01_ (443)
-                      | 2.4 on OSes with ``libaugeas0`` 1.0+.
 webroot_    Y    N    | Obtains a certificate by writing to the webroot directory of  http-01_ (80)
                      | an already running webserver.
-nginx_      Y    Y    | Automates obtaining and installing a certificate with Nginx.  tls-sni-01_ (443)
-                      | Shipped with Certbot 0.9.0.
-standalone_ Y    N    | Uses a "standalone" webserver to obtain a certificate.        http-01_ (80) or
-                      | Requires port 80 or 443 to be available. This is useful on    tls-sni-01_ (443)
+standalone_ Y    N    | Uses a "standalone" webserver to obtain a certificate.        http-01_ (80) 
+                      | Requires port 80 to be available. This is useful on    
                      | systems with no webserver, or when direct integration with
                      | the local webserver is not supported or not desired.
 |dns_plugs| Y    N    | This category of plugins automates obtaining a certificate by dns-01_ (53)
@@ -59,9 +55,9 @@ standalone_ Y    N    | Uses a "standalone" webserver to obtain a certificate.
                      | domain. Doing domain validation in this way is
                      | the only way to obtain wildcard certificates from Let's
                      | Encrypt.
-manual_     Y    N    | Helps you obtain a certificate by giving you instructions to  http-01_ (80),
-                      | perform domain validation yourself. Additionally allows you   dns-01_ (53) or
-                      | to specify scripts to automate the validation task in a       tls-sni-01_ (443)
+manual_     Y    N    | Helps you obtain a certificate by giving you instructions to  http-01_ (80) or
+                      | perform domain validation yourself. Additionally allows you   dns-01_ (53) 
+                      | to specify scripts to automate the validation task in a 
                      | customized way.
 =========== ==== ==== =============================================================== =============================

@@ -69,7 +65,7 @@ manual_     Y    N    | Helps you obtain a certificate by giving you instruction

 Under the hood, plugins use one of several ACME protocol challenges_ to
 prove you control a domain. The options are http-01_ (which uses port 80),
-tls-sni-01_ (port 443) and dns-01_ (requiring configuration of a DNS server on
+and dns-01_ (requiring configuration of a DNS server on
 port 53, though that's often not the same machine as your webserver). A few
 plugins support more than one challenge type, in which case you can choose one
 with ``--preferred-challenges``.
@@ -78,7 +74,6 @@ There are also many third-party-plugins_ available. Below we describe in more de
 the circumstances in which each plugin can be used, and how to use it.

 .. _challenges: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7
-.. _tls-sni-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3
 .. _http-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.2
 .. _dns-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.4

@@ -159,13 +154,12 @@ software running on the machine where you obtain the certificate.

 To obtain a certificate using a "standalone" webserver, you can use the
 standalone plugin by including ``certonly`` and ``--standalone``
-on the command line. This plugin needs to bind to port 80 or 443 in
+on the command line. This plugin needs to bind to port 80 in
 order to perform domain validation, so you may need to stop your
 existing webserver. To control which port the plugin uses, include
 one of the options shown below on the command line.

    * ``--preferred-challenges http`` to use port 80
-    * ``--preferred-challenges tls-sni`` to use port 443

 It must still be possible for your machine to accept inbound connections from
 the Internet on the specified port using each requested domain name.
@@ -222,8 +216,7 @@ the UI, you can use the plugin to obtain a certificate by specifying
 to copy and paste commands into another terminal session, which may
 be on a different computer.

-The manual plugin can use either the ``http``, ``dns`` or the
-``tls-sni`` challenge. You can use the ``--preferred-challenges`` option
+The manual plugin can use either the ``http`` or the ``dns`` challenge. You can use the ``--preferred-challenges`` option
 to choose the challenge of your preference.

 The ``http`` challenge will ask you to place a file with a specific name and
@@ -241,11 +234,6 @@ For example, for the domain ``example.com``, a zone file entry would look like:

        _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"

-When using the ``tls-sni`` challenge, ``certbot`` will prepare a self-signed
-SSL certificate for you with the challenge validation appropriately
-encoded into a subjectAlternatNames entry. You will need to configure
-your SSL server to present this challenge SSL certificate to the ACME
-server using SNI.

 Additionally you can specify scripts to prepare for validation and
 perform the authentication procedure and/or clean up after it by using
@@ -265,8 +253,7 @@ installer plugins. To do so, specify the authenticator plugin with
 For instance, you may want to create a certificate using the webroot_ plugin
 for authentication and the apache_ plugin for installation, perhaps because you
 use a proxy or CDN for SSL and only want to secure the connection between them
-and your origin server, which cannot use the tls-sni-01_ challenge due to the
-intermediate proxy.
+and your origin server.

 ::

@@ -781,9 +768,6 @@ variables to these scripts:
 - ``CERTBOT_DOMAIN``: The domain being authenticated
 - ``CERTBOT_VALIDATION``: The validation string (HTTP-01 and DNS-01 only)
 - ``CERTBOT_TOKEN``: Resource name part of the HTTP-01 challenge (HTTP-01 only)
- ``CERTBOT_CERT_PATH``: The challenge SSL certificate (TLS-SNI-01 only)
- ``CERTBOT_KEY_PATH``: The private key associated with the aforementioned SSL certificate (TLS-SNI-01 only)
- ``CERTBOT_SNI_DOMAIN``: The SNI name for which the ACME server expects to be presented the self-signed certificate located at ``$CERTBOT_CERT_PATH`` (TLS-SNI-01 only)

 Additionally for cleanup: