Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Ubuntu Server LTS 14.04 (Trusty Tahr)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Command: certbot certificates
Get this results:
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf with version 0.14.2 of Certbot. This might not work.
I have use command certbot-auto renew update certificates
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019. You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
How to update ACME client in Ubunty 14.04 (Trusty Tahr)?
Do you know how Certbot 0.14.2 was installed? What does “sudo which certbot” show? Or “dpkg -l '*certbot*' '*letsencrypt*'”?
You already have certbot-auto installed as /root/certbot-auto, right?
I’d suggest making sure to use a new version of Certbot – by moving entirely to certbot-auto, or by upgrading the 0.14.2 installation. The question is how you want to or can do it.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
++±=================================================-=============================-=============================-========================================================================================================
ii certbot 0.14.2-1+certbot+14.041 all automatically configure HTTPS using Let’s Encrypt
un letsencrypt (no description available)
ii python-certbot 0.14.2-1+certbot+14.041 all main library for certbot
ii python-certbot-apache 0.14.2-1+certbot+14.041 all Apache plugin for Certbot
un python-certbot-apache-doc (no description available)
un python-certbot-doc (no description available)
un python-certbot-nginx (no description available)
un python-letsencrypt (no description available)
un python-letsencrypt-apache (no description available)
“You already have certbot-auto installed as /root/certbot-auto, right?”
Yes I have root/certbot-auto 63562 Jan 3 18:27 certbot-auto
“I’d suggest making sure to use a new version of Certbot – by moving entirely to
certbot-auto, or by upgrading the 0.14.2 installation.
The question is how you want to or can do it.”
It looks like you installed Certbot 0.14.2 from the PPA. Version 0.28.0 is available. Do you know why it’s not upgrading?
What happens if you run “sudo apt-get update && sudo apt-get upgrade”?
Or would you rather move entirely to certbot-auto?
Edit: There should be a cron job and systemd timer (if you have systemd?) that automatically run Certbot 0.14.2’s renew command twice a day. If you want to use certbot-auto, you should modify or replace it/them to use certbot-auto instead.
“Do you know why it’s not upgrading?”
Because I have used this command in crontab over two years to update certificates: /root/certbot-auto renew --quiet
So how to configure certbot-auto to use other than TLS-SNI-01 method?
example “HTTP-01, DNS-01 or TLS-ALPN-01”
So I get confused did lutzhorn answer to me? Is easiest way to
do this run all lutzhorn suggested commands: Or is there any better options
do I have to install new certbot-auto ? I think my cerbot-auto
is quite new it is Jan 3 2019.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for static.eco-toimistotarvikkeet.fi
http-01 challenge for template.eco-toimistotarvikkeet.fi
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/static.eco-toimistotarvikkeet.fi/fullchain.pem
But there was two domain which do not work correctly:
Attempting to renew cert (hiekkalaatikko.eco-toimistotarvikkeet.fi) from /etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf produced an unexpected error: Failed authorization procedure. hiekkalaatikko.eco-toimistotarvikkeet.fi (http-01): urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Remote PerformValidation RPCs failed. Skipping.
Attempting to renew cert (template.ergonea.fi) from /etc/letsencrypt/renewal/template.ergonea.fi.conf produced an unexpected error: Failed authorization procedure. template.ergonea.fi (http-01): urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Remote PerformValidation RPCs failed. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/hiekkalaatikko.eco-toimistotarvikkeet.fi/fullchain.pem (failure)
/etc/letsencrypt/live/template.ergonea.fi/fullchain.pem (failure)
So orginal question do I have to worried about this email? Action is required to prevent your Let’s Encrypt certificate renewals from breaking. Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019. You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
And how I can get these two domains certificate to work?
So when you use --dry-run, Certbot uses Let's Encrypt's staging environment.
The staging environment validates by making HTTP requests from several different servers.
Some of them are failing. One or more of them are probably succeeding. Unfortunately, under the circumstances, you get a completely useless error message. There might be an issue with Let's Encrypt's staging infrastructure. There might be an issue with your web server. Or the Internet in between.
I don't suppose it works if you try again?
Are you blocking Amazon Web Services IP addresses?