Certbot version < 0.28 but using "http-01 challenge", ok?


#1

Hello,
I also got this action required email and I first had to search for the server with the appropriate domains. I ve got server with Debian 8.11, Debian 9.6, both with Certbot version 0.10.2 using the http-01 challenge for the domains on these servers (checked with certbot renew --dry-run). Is this ok then, when http-01 is being used? I am confused, because in most of the community topics I can read that I have to update the certbot client to version 0.28.

Then there was another server with Ubuntu 16 LTS and Certbot version 0.26.1. Certbot shows that is was using the “TLS-SNI-01 validation” for two domains AND http-01 validation for the other domains. We decided to perform a complete system upgrade to Ubuntu 18 LTS. Now Cerbot version 0.23.0 is running on the updated server but using http-01 for all domains! This is also confusing because a system upgrade gets me a lower certbot version but http-01 validation for all domains. Now when I call ‘certbot renew --dry-run’ on the updated server certbot prints the following message:

“Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/“a-porno-domain”.com.conf with version 0.23.0 of Certbot. This might not work.”

I wonder if there is still action required.


#2

Hi @ThomasB,

This advice was really aimed at people who are using --apache or --nginx. If you’re not using these and you’re successfully completing renewals with HTTP-01 validation on an earlier version of Certbot, there’s no further action required in connection with the TLS-SNI-01 deprecation.


#3

Ubuntu disables PPAs when you upgrade to a new release (e.g. 16.04 to 18.04), so you might just need to re-enable the PPA (and update the release name from xenial to bionic, if that didn’t happen automatically) and update if you want to get the latest version on the Ubuntu server (but as @schoen said, if it’s already using HTTP-01, you don’t have to update it).


#4

Hi guys, thanks for your help! Yesterday I got an updated action required email, that lists four domains using ACME TLS-SNI-01 domain validation in the past 60 days. I ve already checked these domains with ‘certbot renew --dry-run’ and it shows ‘http-01 challenge for …’ and the message ‘Congratulations, all renewals succeeded.’ There must have been an update in the meantime when I called ‘aptitude update && aptitude safe-upgrade’ on my servers. I hope this is ok. Now I am waiting for day X …


#5

Yeah if certbot renew --dry-run works, then you should be fine.