Got email, Action required: Let's Encrypt certificate renewals


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jobs.klimb.io

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jobs.klimb.io.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jobs.klimb.io
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/jobs.klimb.io/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/jobs.klimb.io/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version): Apache2

The operating system my web server runs on is (include version): ubuntu 14.0

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.22.2

i checked this file

cat jobs.klimb.io.conf

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/jobs.klimb.io
cert = /etc/letsencrypt/live/jobs.klimb.io/cert.pem
privkey = /etc/letsencrypt/live/jobs.klimb.io/privkey.pem
chain = /etc/letsencrypt/live/jobs.klimb.io/chain.pem
fullchain = /etc/letsencrypt/live/jobs.klimb.io/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
account = #################### (actual id not given for security)
installer = apache

and pref_challs = http-01 is not available in jobs.klimb.io.conf .

please need your help. Awaiting your reply


#2

Looks good.

You should upgrade using these instructions: https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache

That should be the only thing you need to do.


#3

Is it mandatory to upgrade certbot. if, after upgrading it, will it automatically config https-01?


#4

According to your dry run, Certbot is already not using TLS-SNI-01. So if you did nothing right now, everything would keep working.

If you don’t want to upgrade, nobody is forcing you, but it’s a good idea.


#5

Thank you for your immediate response. appreciated.
but yesterday again a received an email i.e
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
jobs.klimb.io (xxx.xx.xxx.xxx) on 2018-12-26.

no idea why even i got this email, worrying…


#6

I know the email is a bit spooky, but there is a plausible explanation for having received it and not having to take action:

If you want to be especially cautious - upgrade Certbot.


#7

Many thanks dear @_az :hugs:


#8

According to the email: A client form that IP used TLS-SNI-01.
According to the --dry-run: Your client is able to use HTTP-01.
So…
I believe both are true; and can be true when:
The client prefers to use TLS-SNI-01; But can also use HTTP-01 (as fallback).
[like its’ already set to use: --preferred_challenges https,http,dns]


#9

Appreciated @rg305, Many Thanks.