I jus terceive an e-mail from the Let’s Encrypt team :
Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
my_accountXXXXX
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
What should I do? This is a step process I’m understanding nothing. I ran this step just feeding command lines.
My /var/www/letsencrypt/letsencrypt.log is:
2019-02-03 23:10:51,516:DEBUG:certbot.main:Root logging level set at 30
2019-02-03 23:10:51,520:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-03 23:10:51,524:DEBUG:certbot.main:certbot version: 0.10.2
2019-02-03 23:10:51,524:DEBUG:certbot.main:Arguments: ['-q']
2019-02-03 23:10:51,527:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2019-02-03 23:10:51,620:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-03 23:10:51,620:DEBUG:certbot.renewal:no renewal failures
My Certbot version is : certbot 0.10.2
I’am using apache and everything is running on a Raspberry-pi, using Raspbian
Thanks,
So I try to upgrade certbot and pytho-certbot-apche from version 0.10 to 0.28.
An $ apt list *certbot* gives me : certbot/stable 0.28.0-1~deb9u1 all [upgradable from: 0.10.2-1] python-certbot-apache/stable 0.28.0-1~deb9u1 all [upgradable from: 0.10.2-1]
So it’s seems to be possible. But why isn’t it automatically done? (I know it’s not a straight NC answer).
Thanks.
I answer to myself (sorry). It’s just I needed to do a dist-upgrade and not only apt or apt-get . Now certbot and python-certbot-apache are in 0.28 version.
I ran $ sudo certbot renew --dry-run
And got the following :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [MYWEBSERVER]
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/[MYWEBSERVER]/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/[MYWEBSERVER]/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: service apache2 start
IMPORTANT NOTES:
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Is that enough for my problem? thanks.
Last but not least have you got some easy reading on the web for me to understand all these certificates needs ans configuration etc… Thanks
If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.
"Attempting to renew cert (mywebsite.com) from /etc/letsencrypt/renewal/mywebsite.com.comf produced an unexpected error: Failed authorization procedure… …the client lacks sufficient authorization :: Invalid response form http://mywebsite.com/.well-known/acme-challenge-… all renewal attemps failed. the following certs could not be renewed: /etc/letsencrypt/life/mywebsite.com/fullchain.pem (failure)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address."
Any help you guys could offer would be greatly appreciated! Thanks!