Action is required to prevent your Let's Encrypt certificate renewals from breaking


#1

My domain is: https://www.topcoaching.in

I ran this command:

It produced this output:

My web server is (include version): nginx version: nginx/1.13.0

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

First I want to know How can I check if I am using TLS-SNI-01 or HTTP or DNS.
I have updated the Certbot recently : Installed: 0.28.0-1+ubuntu16.04.1+certbot+4

I am using sudo certbot --nginx for getting certs.

sudo certbot renew --dry-run Give

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for topcoaching.in
http-01 challenge for www.topcoaching.in
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/topcoaching.in/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/topcoaching.in/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Is everything ok or I need to do anything ?


#2

I can’t be sure, but everything’s probably okay.

You might want to monitor Certbot and make sure your next automatic renewal works, but it’s probably fine.


#3

Look in the logs: /var/log/letsencrypt/letsencrypt.log
There you may see “how” it was validated.


#4

I got this notification twice now, but it doesn’t include what domains are using the out of date acme. I have a bunch of domains, so if the data are available on the let’s encrypt end, it’d be nice to share it. I suppose that I’ll get a hint when the cert is about to expire.


#5

Same thing here. Have got a handful of servers that have used this, but I can’t seem to find any that indicate that TLS-SNI-01 is actually being used. Would be great if the emails could be more specific about the domains of concern.