Action required: Let's Encrypt certificate renewals but certbot shows OK

Hi,

Sorry for this dumbish question.

I keep getting this email:

Action required: Let's Encrypt certificate renewals

But when I run certbot dryrun, I get:

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for debian.serverblahblah.com

http-01 challenge for fedora.serverblahblah.com

http-01 challenge for houston.serverblahblah.com

http-01 challenge for solaris.serverblahblah.com

http-01 challenge for ubuntu.serverblahblah.com

http-01 challenge for serverblahblah.com

http-01 challenge for www.serverblahblah.com

Waiting for verification...

Cleaning up challenges

---

new certificate deployed with reload of apache server; fullchain is

/etc/letsencrypt/live/serverblahblah,com/fullchain.pem

---

---

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/unix.com/fullchain.pem (success)

** DRY RUN: simulating 'certbot renew' close to cert expiry

This seems to indicate all our certs are OK with http-01.

Why do we keep getting these emails?

It's not a problem; but are we OK like I think?

Thanks!

PS: serverblahblah.com is not the real name of the server .. obviously

Hi @neounix

if you have only http-01 - challenges, then it should be ok.

Hi Juergen,

Thanks. That's what I thought; but wanted to make sure.

Is there any reason I could change our server to use a challenge other than the:

http-01 challenge

?

Sorry, I'm not very smart on certbots; but am a big fan of Let's Encrypt and the services provided to web sites.

Why?

You can use dns-01 validation or tls-alpn-01 - validation. But tls-alpn isn't supportet via Certbot.

And you can redirect http -> https.

An open port 80 isn't a security problem if the server is correct configured.

Hi Juergen,

Do you mean we can change our challenge to:

https-01

?

Our server is SSL only for access, so we redirect all older http to https for quite some time.

Sorry, I do not understand the basics, my apologies.

There is no https-01. Perhaps read the basics:

No. You can use http-01 but simply redirect all http connections to https.

Some versions of certbot will use tls-sni-01 by default (for renewals) when it’s available, but will switch automatically to http-01 when it’s not. If you’re using one of those versions, a --dry-run will run against the staging server where tls-sni-01 is already disabled, so it simulates what will happen in the future when tls-sni-01 will be disabled on the live server. If your setup works correctly in that test, then you should be fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.