Action is required to prevent your Let's Encrypt certificate renewals from breaking Ubunty 14.04 (Trusty Tahr)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://eco-toimistotarvikkeet.fi/

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu Server LTS 14.04 (Trusty Tahr)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Command: certbot certificates
Get this results:
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf with version 0.14.2 of Certbot. This might not work.

I have use command certbot-auto renew update certificates

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

How to update ACME client in Ubunty 14.04 (Trusty Tahr)?

Yours Timo


ACME TLS-SNI-01 domain validation update certificates help
#2

Download certbot at https://certbot.eff.org/lets-encrypt/pip-other.

Stop Apache.

Run certbot-auto like this:

$ chmod +x certbot-auto
$ sudo ./certbot-auto renew -force-renewal --dry-run --preferred-challenges http

If this does not produce any error, you can rerun it without the --dry-run option:

$ chmod +x certbot-auto
$ sudo ./certbot-auto renew -force-renewal  --preferred-challenges http

Restart Apache.


Recent email form Letsencypt
#3

Do you know why both Certbot 0.14.2 and 0.29.1 are installed? Do you have cerbot-auto somewhere?

What does “sudo which certbot” show?

Edit: Never mind, rereading your other post answered my question.

Edit: Rereading your other thread answered one of my questions, anyway.


#4

A post was split to a new topic: Action is required to prevent your encrypt certificate renewals from breaking


#5

A post was merged into an existing topic: Action is required to prevent your encrypt certificate renewals from breaking


#6

@lutzhorn

Were you replying to @GiacomoSilli’s post? I can move your post to the other thread, if you want.

I apologize for the chaos.


#7

So first I must
$ wget https://dl.eff.org/certbot-auto

$ chmod a+x certbot-auto

Then stop apache

$ sudo service apache2 stop

Then I must run

$ chmod +x certbot-auto

$ sudo ./certbot-auto renew -force-renewal --dry-run --preferred-challenges http

If this does not produce any error, you can rerun it without the --dry-run option:

**chmod +x certbot-auto** sudo ./certbot-auto renew -force-renewal --preferred-challenges http

What kind of errors there might come?


#8

Yes, please reorganize as you see fit. And please delete this afterwards.

Seems like I am not the only one today with a question about the email :slight_smile:


#9

Yup! I’d look for an appropriate emoji but I have 1 million other posts to read. I think it’s the busiest the forum has ever been.


#10

@timo

Do you know how Certbot 0.14.2 was installed? What does “sudo which certbot” show? Or “dpkg -l '*certbot*' '*letsencrypt*'”?

You already have certbot-auto installed as /root/certbot-auto, right?

I’d suggest making sure to use a new version of Certbot – by moving entirely to certbot-auto, or by upgrading the 0.14.2 installation. The question is how you want to or can do it.


#11

"sudo which certbot" show "/usr/bin/certbot"

" dpkg -l ‘certbot’ ‘letsencrypt " shows

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
++±=================================================-=============================-=============================-========================================================================================================
ii certbot 0.14.2-1+certbot+14.041 all automatically configure HTTPS using Let’s Encrypt
un letsencrypt (no description available)
ii python-certbot 0.14.2-1+certbot+14.041 all main library for certbot
ii python-certbot-apache 0.14.2-1+certbot+14.041 all Apache plugin for Certbot
un python-certbot-apache-doc (no description available)
un python-certbot-doc (no description available)
un python-certbot-nginx (no description available)
un python-letsencrypt (no description available)
un python-letsencrypt-apache (no description available)

“You already have certbot-auto installed as /root/certbot-auto, right?”

Yes I have root/certbot-auto 63562 Jan 3 18:27 certbot-auto

“I’d suggest making sure to use a new version of Certbot – by moving entirely to
certbot-auto, or by upgrading the 0.14.2 installation.
The question is how you want to or can do it.”

So easiest way ? Certbot-auto I think


#12

It looks like you installed Certbot 0.14.2 from the PPA. Version 0.28.0 is available. Do you know why it’s not upgrading?

What happens if you run “sudo apt-get update && sudo apt-get upgrade”?

Or would you rather move entirely to certbot-auto?

Edit: There should be a cron job and systemd timer (if you have systemd?) that automatically run Certbot 0.14.2’s renew command twice a day. If you want to use certbot-auto, you should modify or replace it/them to use certbot-auto instead.


#13

“Do you know why it’s not upgrading?”
Because I have used this command in crontab over two years to update certificates:
/root/certbot-auto renew --quiet

So how to configure certbot-auto to use other than TLS-SNI-01 method?
example “HTTP-01, DNS-01 or TLS-ALPN-01”


#14

Is there also a cron job at /etc/cron.d/certbot that runs 0.14.2?


#15

No: only certbot cronjob is: /root/certbot-auto renew --quiet
theres no cron job at /etc/cron.d/certbot


#16

So I get confused did lutzhorn answer to me? Is easiest way to
do this run all lutzhorn suggested commands: Or is there any better options
do I have to install new certbot-auto ? I think my cerbot-auto
is quite new it is Jan 3 2019.

Do I just run:

sudo ./certbot-auto renew -force-renewal --dry-run --preferred-challenges http

Or:
sudo ./certbot-auto renew -force-renewal --preferred-challenges http

Or do I have to run all these commands? I just do as minor changes as possible **
that anything works correctly.

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

sudo service apache2 stop

chmod +x certbot-auto

sudo ./certbot-auto renew -force-renewal --dry-run --preferred-challenges http

chmod +x certbot-auto

sudo ./certbot-auto renew -force-renewal --preferred-challenges http

sudo service apache2 restart


#17

Does “sudo ./certbot-auto renew --dry-run” work?


#18

I run: ./certbot-auto renew --dry-run

All the other domains show like this


Processing /etc/letsencrypt/renewal/static.eco-toimistotarvikkeet.fi.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for static.eco-toimistotarvikkeet.fi
http-01 challenge for template.eco-toimistotarvikkeet.fi
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/static.eco-toimistotarvikkeet.fi/fullchain.pem


But there was two domain which do not work correctly:

Attempting to renew cert (hiekkalaatikko.eco-toimistotarvikkeet.fi) from /etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf produced an unexpected error: Failed authorization procedure. hiekkalaatikko.eco-toimistotarvikkeet.fi (http-01): urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Remote PerformValidation RPCs failed. Skipping.

Attempting to renew cert (template.ergonea.fi) from /etc/letsencrypt/renewal/template.ergonea.fi.conf produced an unexpected error: Failed authorization procedure. template.ergonea.fi (http-01): urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Remote PerformValidation RPCs failed. Skipping.

The following certs could not be renewed:
/etc/letsencrypt/live/hiekkalaatikko.eco-toimistotarvikkeet.fi/fullchain.pem (failure)
/etc/letsencrypt/live/template.ergonea.fi/fullchain.pem (failure)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hiekkalaatikko.eco-toimistotarvikkeet.fi
    Type: serverInternal
    Detail: Remote PerformValidation RPCs failed

    Unfortunately, an error on the ACME server prevented you from
    completing authorization. Please try again later.

  • The following errors were reported by the server:

    Domain: template.ergonea.fi
    Type: serverInternal
    Detail: Remote PerformValidation RPCs failed

    Unfortunately, an error on the ACME server prevented you from
    completing authorization. Please try again later.

So what I do with these two domains?

This might cause because when I run new certificate to ergonea I select
hiekkalaatikko.eco-toimistotarvikkeet.fi number to “accidentally”

So orginal question do I have to worried about this email?
Action is required to prevent your Let’s Encrypt certificate renewals from breaking.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

And how I can get these two domains certificate to work?


#19

–force-renewal*


#20

So when you use --dry-run, Certbot uses Let’s Encrypt’s staging environment.

The staging environment validates by making HTTP requests from several different servers.

Some of them are failing. One or more of them are probably succeeding. Unfortunately, under the circumstances, you get a completely useless error message. There might be an issue with Let’s Encrypt’s staging infrastructure. There might be an issue with your web server. Or the Internet in between.

I don’t suppose it works if you try again?

Are you blocking Amazon Web Services IP addresses?