Action required: Let's Encrypt certificate renewals

Today i received this email . kindly help me on this .

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals from breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. Below is a list of names and IP addresses validated (max of one per account):

merchant.priceblaze.pk (38.108.7.164) on 2018-12-08

TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019.

Any certificates issued before then will continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to test whether your system will work after February 13, you can run against staging: Staging Environment - Let's Encrypt

If you're a Certbot user, you can find more information here:

Our forum has many threads on this topic. Please search to see if your question has been answered, then open a new thread if it has not:

https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API

announcement:

Thank you,

Let's Encrypt Staff

Hi @fayaz

  • update your certbot, so you use a version >= 28.0
  • create a new test certificate with --dry-run as option

If that works, it should work directly.

Your domain has blocked mixed content ( https://check-your-website.server-daten.de/?q=merchant.priceblaze.pk ), so JavaScript code is missing and the site may not work as expected.

script
	
	http://code.jquery.com/jquery-2.0.0b1.js
	1
	mixed

script
	
	http://code.jquery.com/jquery-migrate-1.0.0.js
	1
	mixed

It's curious, FireFox blocks this complete, so no warning is visible.

hi

thanks for you reply can you please let me know how can i update the certbot…i am using centos with apche web server.

looking your response.

Check

to find your current version.

7 posts were split to a new topic: Upgrading certbot on Ubuntu

Facing this error :

[root@HMFR-4 ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (merchant.priceblaze.pk) from /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.


Processing /etc/letsencrypt/renewal/admin.priceblaze.pk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.priceblaze.pk
Waiting for verification…
Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Attempting to renew cert (admin.priceblaze.pk) from /etc/letsencrypt/renewal/admin.priceblaze.pk.conf produced an unexpected error: Error while running apachectl graceful.

Job for httpd.service invalid.
. Skipping.


Processing /etc/letsencrypt/renewal/www.priceblaze.pk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.priceblaze.pk
Waiting for verification…
Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Attempting to renew cert (www.priceblaze.pk) from /etc/letsencrypt/renewal/www.priceblaze.pk.conf produced an unexpected error: Error while running apachectl graceful.

Job for httpd.service invalid.
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Running post-hook command: systemctl start httpd
3 renew failure(s), 0 parse failure(s)

@fayaz

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My web server is (include version): apache

The operating system my web server runs on is (include version): centos 7

My hosting provider, if applicable, is: i manage my self

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no controal panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): [root@HMFR-4 ~]# certbot --version
certbot 0.19.0
[root@HMFR-4 ~]#

This is old version:

You can follow this to update:
https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html

hi

should i apply this

yum update python2-certbot-apache

pelase confirm me or guide me . step by step i am a new here

Yes, since you already have certbot, both may produce the same result:
sudo yum install python2-certbot-apache
sudo yum update python2-certbot-apache

[if not, then do both]

[root@HMFR-4 ~]# certbot --version
certbot 0.29.1
[root@HMFR-4 ~]#

Next please

That is a good version.
Check how many days are left in your cert(s):
certbot certificates

If you have many:
certbot certificates | grep -Ei 'expiry|domain'

[root@HMFR-4 ~]# certbot certificates | grep -Ei 'expiry|domain'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Domains: merchant.priceblaze.pk
Expiry Date: 2019-03-08 15:00:20+00:00 (VALID: 37 days)
Domains: admin.priceblaze.pk
Expiry Date: 2019-03-08 15:00:32+00:00 (VALID: 37 days)
Domains: www.priceblaze.pk
Expiry Date: 2019-03-08 15:00:42+00:00 (VALID: 37 days)
[root@HMFR-4 ~]#

OK. [You have 37 days to fix this - LOL]

Now lets try a test renewal.
Please show the output of:
certbot renew --dry-run -v

StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: systemctl start httpd
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.29.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1259, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 457, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 2 renew failure(s), 0 parse failure(s)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: merchant.priceblaze.pk
    Type: unauthorized
    Detail: Invalid response from
    http://merchant.priceblaze.pk/.well-known/acme-challenge/zpmAm3l9RcWGdqe6IPhMJ0-o0P6_Bjqv_lUQfAsjyYg:
    "\n\n<html lang=“en”>\n\n <meta
    http-equiv=“content-type” content=“text/html; charset=utf-8”>\n

    Page not"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    [root@HMFR-4 ~]#

NOW ?

1 Like

It seems that when you last renewed you used --standalone
That is not recommended; as it requires to stop your web server in order to spin up a new temporary web server to serve the authentication challenge requests.

Unless you are ok with stopping the web server temporarily?
[during the test only - then you can start it again]

Otherwise, we would have to try using --webroot instead.
But that would require determining the webroots for each domain.
[that could take some time]

If you are OK with temporary stop, try:
systemctl stop apache2
certbot renew --dry-run -v
systemctl start apache2

And show the certbot output.

[root@HMFR-4 ~]# systemctl stop httpd
[root@HMFR-4 ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for merchant.priceblaze.pk
Error while running apachectl graceful.

Job for httpd.service invalid.

Unable to restart apache using [‘apachectl’, ‘graceful’]
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (merchant.priceblaze.pk) from /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf produced an unexpected error: Failed authorization procedure. merchant.priceblaze.pk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://merchant.priceblaze.pk/.well-known/acme-challenge/VOMSrQgXufaFaxDdtOq8xVz8udwNRBTBoomldXx0oTw: “\n\n<html lang=“en”>\n\n <meta http-equiv=“content-type” content=“text/html; charset=utf-8”>\n Page not”. Skipping.


Processing /etc/letsencrypt/renewal/admin.priceblaze.pk.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.priceblaze.pk
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
Error while running apachectl graceful.

Job for httpd.service invalid.

Unable to restart apache using [‘apachectl’, ‘graceful’]


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem



Processing /etc/letsencrypt/renewal/www.priceblaze.pk.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.priceblaze.pk
Cleaning up challenges
Attempting to renew cert (www.priceblaze.pk) from /etc/letsencrypt/renewal/www.priceblaze.pk.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (failure)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: systemctl start httpd
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: merchant.priceblaze.pk
    Type: unauthorized
    Detail: Invalid response from
    http://merchant.priceblaze.pk/.well-known/acme-challenge/VOMSrQgXufaFaxDdtOq8xVz8udwNRBTBoomldXx0oTw:
    "\n\n<html lang=“en”>\n\n <meta
    http-equiv=“content-type” content=“text/html; charset=utf-8”>\n

    Page not"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    [root@HMFR-4 ~]# systemctl status apachectl
    ● apachectl.service
    Loaded: not-found (Reason: No such file or directory)
    Active: inactive (dead)
    [root@HMFR-4 ~]# systemctl status apache2
    ● apache2.service
    Loaded: not-found (Reason: No such file or directory)
    Active: inactive (dead)
    [root@HMFR-4 ~]# systemctl start httpd

kindly advise further .

[modified instructions]
If you are OK with temporary stop, try:
systemctl stop apache2
certbot renew --dry-run -v --standalone
[if that fails also try]
certbot renew --dry-run -v --installer null
systemctl start apache2