Certbot 0.22 for debian 9

Hello, Im trying to install certbot for debian 9 following the steps on certbot.eff.org but it installs 019

deb http://ftp.debian.org/debian stretch-backports main
apt-get install python-certbot-apache -t stretch-backports
certbot --authenticator webroot --installer apache

Possible to get 0.22 ?

Only without using the Debian official packages.

Do you really need some of the new features added to certbot since 0.19? The command you just pasted should work. Do you run into some problem nontheless?

hello, it works fine for a single site but Im having issues getting certificate for subdomain www; at the moment I’m only able to configure without www

maybe Im not doing it right… I thought there might be an issue with 0.19

getting error message : could not satisfy CA requirements

That means you're using the tls-sni-01 challenge, which is disabled b/c of security issues. It also means you're not using --authenticator webroot for that site.

If you'd paste the exact command here with the exact output it generates, we might help you further.

Thank you I’d redo it again to explain better but I took the turn of wiping my server to go from scratch at the moment and I’m still trying to resolve an issue before I try certbot again.

However there is not much I did more; using the command certbot --authenticator webroot --installer apache I have been following the steps.

here is my apache config file:

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<VirtualHost *:80>
ServerName admin.example.com
DocumentRoot /var/www/admin
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

When asked for which domain I’d like to certify I have been checking all 3 : example.com, www.example.com and admin.example.com
Setting a different folder for admin

That’s it really.

Do I need to wait for the new version of certbot ?

I'm beginning to doubt myself. The error "could not satisfy CA requirements" doesn't fully correspond with the error I was thinking about with regard to the tls-sni-01 challenge. That error message would have been "Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA." in total. Which is different from the error message you're getting, although there is some overlap in words.. Hence the confusion from my part. Sorry about that.

I would like to see the exact and full error message when you try again. It should work with the webroot plugin in certbot version 0.19.

Still not at the certbot step again (could take a few days at the speed my registrar is replying) but I found the error message in my browsing history :))

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

so I might be having an issue with tls-sni-01 challenge ?

Yes. But you shouldn't when you actually entered --authenticator webroot on the command line.

I would suggest using that again when you're ready for the certbot part on your reinstallment of the server.

ok, I’ll report back when Im there again.

looks like it worked in the end. I think it was an issue with my registrar not updating dns. I just switched my ns and voila :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.