Action required: Let's Encrypt certificate renewals but certbot shows OK


#1

Hi,

Sorry for this dumbish question.

I keep getting this email:

Action required: Let’s Encrypt certificate renewals

But when I run certbot dryrun, I get:

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for debian.serverblahblah.com

http-01 challenge for fedora.serverblahblah.com

http-01 challenge for houston.serverblahblah.com

http-01 challenge for solaris.serverblahblah.com

http-01 challenge for ubuntu.serverblahblah.com

http-01 challenge for serverblahblah.com

http-01 challenge for www.serverblahblah.com

Waiting for verification…

Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is

/etc/letsencrypt/live/serverblahblah,com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry

** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/unix.com/fullchain.pem (success)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry

This seems to indicate all our certs are OK with http-01.

Why do we keep getting these emails?

It’s not a problem; but are we OK like I think?

Thanks!

PS: serverblahblah.com is not the real name of the server … obviously


#2

Hi @neounix

if you have only http-01 - challenges, then it should be ok.


#3

Hi Juergen,

Thanks. That’s what I thought; but wanted to make sure.

Is there any reason I could change our server to use a challenge other than the:

http-01 challenge

?

Sorry, I’m not very smart on certbots; but am a big fan of Let’s Encrypt and the services provided to web sites.


#4

Why?

You can use dns-01 validation or tls-alpn-01 - validation. But tls-alpn isn’t supportet via Certbot.

And you can redirect http -> https.

An open port 80 isn’t a security problem if the server is correct configured.


#5

Hi Juergen,

Do you mean we can change our challenge to:

https-01

?

Our server is SSL only for access, so we redirect all older http to https for quite some time.

Sorry, I do not understand the basics, my apologies.


#6

There is no https-01. Perhaps read the basics:


#7

No. You can use http-01 but simply redirect all http connections to https.


#8

Some versions of certbot will use tls-sni-01 by default (for renewals) when it’s available, but will switch automatically to http-01 when it’s not. If you’re using one of those versions, a --dry-run will run against the staging server where tls-sni-01 is already disabled, so it simulates what will happen in the future when tls-sni-01 will be disabled on the live server. If your setup works correctly in that test, then you should be fine.


Got email, Action required: Let's Encrypt certificate renewals