-
First, this is not specific to pfSense or our ACME package but to Let's Encrypt and ACME clients in general.
Security researcher Frans Rosén found a flaw in the ACME specification for TLS-SNI-01 and TLS-SNI-02 in cases where shared hosting operates certain less-than-ideal ways with regard to certificates and serving content on port 443. Let's Encrypt followed the spec, so it was possible in certain specific shared hosting cases to obtain a certificate for another domain on the same shared hosting service. Once Let's Encrypt was alerted and confirmed the problem, they shut down TLS-SNI-01/02 validation. They have since re-enabled it in a limited capacity, mostly for renewals. All of the details are here: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188
What that means for LE/ACME users is that if you currently use "Standalone TLS Server" mode to validate certificates, you should move to another method as soon as possible, for example, use Standalone HTTP Server or a DNS method. Even though the problem only affects shared hosting scenarios, the specification doesn't have any way to isolate that scenario.
It will be possible to renew via TLS-SNI-01 for a short time yet, Let's Encrypt has not announced a cutoff date, but I would not count on it being active for long. Switch ASAP.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.