Certbot version < 0.28 but using "http-01 challenge", ok?

Hello,
I also got this action required email and I first had to search for the server with the appropriate domains. I ve got server with Debian 8.11, Debian 9.6, both with Certbot version 0.10.2 using the http-01 challenge for the domains on these servers (checked with certbot renew --dry-run). Is this ok then, when http-01 is being used? I am confused, because in most of the community topics I can read that I have to update the certbot client to version 0.28.

Then there was another server with Ubuntu 16 LTS and Certbot version 0.26.1. Certbot shows that is was using the ā€œTLS-SNI-01 validationā€ for two domains AND http-01 validation for the other domains. We decided to perform a complete system upgrade to Ubuntu 18 LTS. Now Cerbot version 0.23.0 is running on the updated server but using http-01 for all domains! This is also confusing because a system upgrade gets me a lower certbot version but http-01 validation for all domains. Now when I call ā€˜certbot renew --dry-runā€™ on the updated server certbot prints the following message:

ā€œAttempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/ā€œa-porno-domainā€.com.conf with version 0.23.0 of Certbot. This might not work.ā€

I wonder if there is still action required.

Hi @ThomasB,

This advice was really aimed at people who are using --apache or --nginx. If youā€™re not using these and youā€™re successfully completing renewals with HTTP-01 validation on an earlier version of Certbot, thereā€™s no further action required in connection with the TLS-SNI-01 deprecation.

2 Likes

Ubuntu disables PPAs when you upgrade to a new release (e.g. 16.04 to 18.04), so you might just need to re-enable the PPA (and update the release name from xenial to bionic, if that didnā€™t happen automatically) and update if you want to get the latest version on the Ubuntu server (but as @schoen said, if itā€™s already using HTTP-01, you donā€™t have to update it).

2 Likes

Hi guys, thanks for your help! Yesterday I got an updated action required email, that lists four domains using ACME TLS-SNI-01 domain validation in the past 60 days. I ve already checked these domains with ā€˜certbot renew --dry-runā€™ and it shows ā€˜http-01 challenge for ā€¦ā€™ and the message ā€˜Congratulations, all renewals succeeded.ā€™ There must have been an update in the meantime when I called ā€˜aptitude update && aptitude safe-upgradeā€™ on my servers. I hope this is ok. Now I am waiting for day X ā€¦

Yeah if certbot renew --dry-run works, then you should be fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.