Action required Let's Encrypt certificate renewals

My domain is: työtuoli.fi
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): Ubuntu Server LTS. 14.04 (Trusty Tahr)
I can login to a root shell on my machine (yes or no, or I don’t know): Yes

Hello I just get 5 march of this email:

Action may be required to prevent your Let’s Encrypt certificate renewals from
breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 12 days. Below is a list of names and IP addresses
validated (max of one per account):

työtuoli.fi on 2019-02-22

So I run these commands:

$ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository universe

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

$ sudo apt-get install certbot python-certbot-apache

sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

sudo certbot renew --dry-run

Result sudo certbot renew --dry-run command is
Processing /etc/letsencrypt/renewal/xxx.conf


Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxx.conf with version 0.28.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx
Waiting for verification…
Cleaning up challenges

And result is
Congratulations, all renewals succeeded. The following certs have been renewed:

I just wonder this line:
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxx.conf with version 0.28.0 of Certbot. This might not work.

Do I somehow know is certbot work ok or not?

Yours timo

I run
certbot --version || /path/to/certbot-auto --version
Result is: certbot 0.28.0

So I’ve managed to update certbot to 0.28.0.

The question is

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxx.conf with version 0.28.0 of Certbot. This might not work.

This might not work. So I ask do certbot 0.28.0 update my certificates in the future?
And what command do I run to test it?

Yours Timo

Hi @timo

your certificate is 73 days valid ( https://check-your-website.server-daten.de/?q=työtuoli.fi )

CN=xn--tytuoli-b1a.fi
	22.02.2019
	23.05.2019
expires in 73 days	työtuoli.fi (xn--tytuoli-b1a.fi) - 1 entry

So you don’t need now a new certificate. But: Your configuration is incomplete:

Domainname Http-Status redirect Sec. G
http://työtuoli.fi/
178.63.3.78 301 https://työtuoli.fi/ 0.047 A
http://www.työtuoli.fi/
178.63.3.78 301 https://www.työtuoli.fi/ 0.047 A
https://www.työtuoli.fi/
178.63.3.78 301 https://työtuoli.fi/ 1.603 N
Certificate error: RemoteCertificateNameMismatch
https://työtuoli.fi/
178.63.3.78 200 1.487 I

You have a dns entry with www, but your certificate has only the non-www - version.

So try to create a new certificate with both domain names. That updates your config file:

sudo certbot --apache -d xn--tytuoli-b1a.fi -d www.xn--tytuoli-b1a.fi

Then

  • you have a certificate with both domain names, so both connections are secure and
  • Certbot should update your config file

If you use --dry-run, your config file isn’t updated.

I run

sudo certbot --apache -d xn--tytuoli-b1a.fi -d www.xn--tytuoli-b1a.fi
sudo certbot --apache -d kassakaappi.net -d www.kassakaappi.net
sudo certbot --apache -d ergonea.fi -d www.ergonea.fi

I just do not know how to run example
hiekkalaatikko.kassakaappi.net
template.kassakaappi.net
static.kassakaappi.net.conf

Here is the list of addresses which might not work.

hiekkalaatikko.kassakaappi.net
template.kassakaappi.net
static.kassakaappi.net

eco-toimistotarvikkeet.fi
hiekkalaatikko.eco-toimistotarvikkeet.fi
template.eco-toimistotarvikkeet.fi
static.eco-toimistotarvikkeet.fi

proficient.fi
hiekkalaatikko.proficient.fi
template.proficient.fi
static.proficient.fi

hiekkalaatikko.ergonea.fi
template.ergonea.fi
static.ergonea.fi

Here is the description why does these addresses certificate renewal do not work

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.kassakaappi.net.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/eco-toimistotarvikkeet.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/static.eco-toimistotarvikkeet.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/proficient.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/template.proficient.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.proficient.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/template.kassakaappi.net.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/static.proficient.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/static.ergonea.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/template.ergonea.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/template.eco-toimistotarvikkeet.fi.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/static.kassakaappi.net.conf with version 0.28.0 of Certbot. This might not work.
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/hiekkalaatikko.ergonea.fi.conf with version 0.28.0 of Certbot. This might not work.

Well I try to run certbot-auto which is in my cronjob

I run

/root/certbot-auto renew --dry-run

And everything goes allright there is no error like

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxxx.conf with version 0.28.0 of Certbot. This might not work.

I run

/root/certbot-auto --version

certbot 0.32.0

But there is new warning. This warning is only when I use certbot-auto I do not know why??

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.**
** utils.DeprecatedIn23,

How to hanle this?

I have these python versions:

ls /usr/bin/python*

/usr/bin/python /usr/bin/python2.7 /usr/bin/python2-config /usr/bin/python3.4 /usr/bin/python3-futurize /usr/bin/python3-pasteurize
/usr/bin/python2 /usr/bin/python2.7-config /usr/bin/python3 /usr/bin/python3.4m /usr/bin/python3m /usr/bin/python-config

I wonder do certbot-auto use different python version than certbot?

When I run
/root/certbot-auto --version
result:

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
utils.DeprecatedIn23,
certbot 0.32.0

When I run
certbot --version
Result:

certbot 0.28.0

I just want that certbot or certbot-auto works

If I use certbot-auto I need to know do I need to worry about this warning
and if I need to worried about it how to fix it?

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
utils.DeprecatedIn23,

If I use certbot I need to fix this.

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/proficient.fi.conf with version 0.28.0 of Certbot. This might not work.

So please help me.

certbot-auto is an autoupdater which installs new versions of itself whenever it’s run. By contrast, certbot is the operating system packaged version. It’s normal for the version of certbot-auto to be newer than the version of certbot.

Did any of the advice you saw mention that it wasn’t applicable to certbot-auto users? If not, we probably need to fix our advice.

I can try to find out more about the DeprecationWarning, but I think it’s likely related to the fact that your operating system release is going to become unsupported on April 30 of this year (in 50 days from now). Do you have a plan or the ability to upgrade to a newer operating system release?

Like I discovered, make sure that ALL of your plugins are version 0.28 or higher:

$ certbot --version
certbot 0.28.0
$ dpkg --list | grep -E "python.?-certbot"
ii  python-certbot-nginx          0.28.0-1+ubuntu16.04.1+certbot+3      all          transitional dummy package
ii  python3-certbot               0.28.0-1+ubuntu16.04.1+certbot+4      all          main library for certbot
ii  python3-certbot-nginx         0.25.0-2+ubuntu16.04.1+certbot+1      all          Nginx plugin for Certbot

See how one plugin was still version 0.25? That was the problem for me, and it took a while to find :slight_smile:

So just update it to 0.28 or newer (eg. sudo apt install python3-certbot-nginx), and then it should use http-01

Thank you! Torniojaws

$ certbot --version
certbot 0.28.0

$ dpkg --list | grep -E “python.?-certbot”
ii python-certbot 0.14.2-1+certbot+14.041 all main library for certbot
ii python-certbot-apache 0.28.0-1+ubuntu14.04.1+certbot+3 all transitional dummy package
ii python3-certbot 0.28.0-1+ubuntu14.04.1+certbot+4 all main library for certbot
ii python3-certbot-apache 0.28.0-1+ubuntu14.04.1+certbot+3 all Apache plugin for Certbot

So I must update python-certbot

sudo apt install python-certbot

Do I understand right your advice?

I run

$ sudo apt install python-certbot

Result

python-certbot is already the newest version.
The following packages were automatically installed and are no longer required:
libmpdec2 python-augeas
Use ‘apt-get autoremove’ to remove them.

I run

$ dpkg --list | grep -E “python.?-certbot”
Result
ii python-certbot 0.14.2-1+certbot+14.041 all main library for certbot
ii python-certbot-apache 0.28.0-1+ubuntu14.04.1+certbot+3 all transitional dummy package
ii python3-certbot 0.28.0-1+ubuntu14.04.1+certbot+4 all main library for certbot
ii python3-certbot-apache 0.28.0-1+ubuntu14.04.1+certbot+3 all Apache plugin for Certbot

If this is my problem
How I can update python-certbot 0.14.2-1 to 0.28.0-1 ?

Update your package lists. The PPA now has Certbot 0.31 for Ubuntu 14.04:

apt-get update
apt-get install certbot python-certbot-apache

If you still have the old version of python-certbot after that, it might be worth removing it and re-installing it all (your existing certificates and data will not be touched):

dpkg --remove python-certbot
apt-get install --reinstall certbot python-certbot-apache

Since the PPA transitioned from Python 2 to Python 3, the Python 2 “python-*” packages are just dummy transitional packages with no version requirements.

I run

apt-get update
apt-get install certbot python-certbot-apache

And Check old versio is still there

So I run

dpkg --remove python-certbot
apt-get install --reinstall certbot python-certbot-apache

And then just test case I run

sudo certbot renew --dry-run

Congratulations, all renewals succeeded.

And there is no more this message:

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxx.conf with version 0.28.0 of Certbot. This might not work.

So everything work fine with cerbot now. Thank you _az!

I just wonder why

/root/certbot-auto --version

still give this message.

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
utils.DeprecatedIn23,
certbot 0.32.0

But anyway I can renew certificates with certbot

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.