Action required: Let's Encrypt certificate renewals, What Domains?


#1

I received the email discussing the ACME TLS-SNI-01 domain validation issue. But it doesnt show what domains it applies to. I’ve checked them all, I am running certbot versions 23+ on Ubuntu 18.04.1 and one 16.04.5 LTS.

Running the dry run all the challenges show using HTTP-01

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Various

I ran this command:
apt-cache policy certbot | grep -i Installed

It produced this output:
Installed: 0.28.0-1+ubuntu18.04.1+certbot+4
Installed: 0.23.0-1
Installed: 0.25.0-1+ubuntu16.04.1+certbot+1
Installed: 0.23.0-1

My web server is (include version):
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.33 (Ubuntu)

The operating system my web server runs on is (include version): 18.04.1 and one 16.04.5 LTS.

My hosting provider, if applicable, is: AWS & self,

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @Wmcclu

then you shouldn’t have a problem.

Add

--preferred-challenges http

to your command.


#3

Do I need to update all of my scripts to now include this or ran once will apply it for future runs?


#4

You can check your renew files in

/etc/letsencrypt/renewal

Or you create a cli.ini with preferred-challenges.


#5

What am I looking for in the renewal config files?


#6

Check if there is a standalone - authenticator (perhaps a problem) or tls-sni as validation method.


#7

I agree that it would be very useful to have the domain(s) included in the email. In our case, we haven’t used this validation form for some time, but there would appear to be one needle in the haystack where this must still be scripted.

Having the domain in the email would be very handy for tracking where this older setup is still lurking.

Nothing that’ll change my opinion on how great LetsEncrypt is, maybe something useful for similar changes. :smiley:


#8

One or two of my older domains from when LE first came out show:

Options used in the renewal process

[renewalparams]
authenticator = standalone
account = (xxx)
server = https://acme-v02.api.letsencrypt.org/directory

I went into the cli.ini and added the following per this post:
preferred-challenges = http


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.