Action required: Let's Encrypt certificate renewals

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are:
dl.navaak.com, static.sarirapp.com, static.navaak.com, stream.navaak.com, dl-at.navaak.com

I ran this command:
1- certbot --version
(output) certbot 0.28.0

2- grep -Ri pref_challs /etc/letsencrypt/renewal/
(output) nothing

3- /usr/bin/certbot renew
(output)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dl.navaak.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/static.sarirapp.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/static.navaak.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/stream.navaak.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/dl-at.navaak.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/dl.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/static.sarirapp.com/fullchain.pem expires on 2019-04-11 (skipped)
/etc/letsencrypt/live/static.navaak.com/fullchain.pem expires on 2019-03-17 (skipped)
/etc/letsencrypt/live/stream.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/dl-at.navaak.com/fullchain.pem expires on 2019-03-16 (skipped)
No renewals were attempted.

It produced this output:

My web server is (include version):
nginx/1.14.0

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):
no
Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): certbot 0.28.0

I got an email from lets encrypt. It is about " Action required: Letā€™s Encrypt certificate renewals".
Your Letā€™s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

What should I do? Is everything ok about my letsencrypt??

2

You can test the renewal process with:

certbot renew --dry-run

1 Like
3

The names resolve to two IPs.
Be sure this one server is responding to both IPs (or some may fail).

Also be sure port 80 is open to both IPs.

[your ports are open - that was for others that may be looking for similar direction]

4

I gave run this command and this is my output.
This is our production server and I need to be sure everything about lets encrypt is fine.
Thank you so much for your great supporting.

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dl.navaak.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dl-premium.navaak.com
http-01 challenge for dl.navaak.com
Waiting for verificationā€¦
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/dl.navaak.com/fullchain.pem

Processing /etc/letsencrypt/renewal/static.sarirapp.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for static.sarirapp.com
Waiting for verificationā€¦
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/static.sarirapp.com/fullchain.pem

Processing /etc/letsencrypt/renewal/static.navaak.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for static-premium.navaak.com
http-01 challenge for static.navaak.com
Waiting for verificationā€¦
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/static.navaak.com/fullchain.pem

Processing /etc/letsencrypt/renewal/stream.navaak.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stream-premium.navaak.com
http-01 challenge for stream.navaak.com
Waiting for verificationā€¦
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/stream.navaak.com/fullchain.pem

Processing /etc/letsencrypt/renewal/dl-at.navaak.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dl-at-premium.navaak.com
http-01 challenge for dl-at.navaak.com
http-01 challenge for dl-at.sarirapp.com
http-01 challenge for static-at-premium.navaak.com
http-01 challenge for static-at.navaak.com
http-01 challenge for static-at.sarirapp.com
http-01 challenge for stream-at-admin.navaak.com
http-01 challenge for stream-at-premium.navaak.com
http-01 challenge for stream-at.navaak.com
http-01 challenge for stream-at.sarirapp.com
Waiting for verificationā€¦
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/dl-at.navaak.com/fullchain.pem

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dl.navaak.com/fullchain.pem (success)
/etc/letsencrypt/live/static.sarirapp.com/fullchain.pem (success)
/etc/letsencrypt/live/static.navaak.com/fullchain.pem (success)
/etc/letsencrypt/live/stream.navaak.com/fullchain.pem (success)
/etc/letsencrypt/live/dl-at.navaak.com/fullchain.pem (success)
** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates above have not been saved.)

5

Hi, Thanks.
Yes. There are 2 IPs and the port is open for both of them.

6

Looks good, no errors. This should also work for real renewals.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.