Help for "Action required: Let's Encrypt certificate renewals "

yaylitzis · January 18, 2019, 10:25am

Hello, I received the email (Action required: Let's Encrypt certificate renewals). Can you help me please, how to chenk if my settings are ok?

I checked the certbot version from this command apt-cache policy certbot | grep -i Installed and the output was Installed: 0.17.0-2+ubuntu16.04.1+certbot+1

I post here the content of my 2 files in /etc/letsencrypt/renewal/

1 domain: kotronis-plastics.gr

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite

2 domain: scti.gr

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr-0001
cert = /etc/letsencrypt/live/scti.gr-0001/cert.pem
privkey = /etc/letsencrypt/live/scti.gr-0001/privkey.pem
chain = /etc/letsencrypt/live/scti.gr-0001/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a

My domain is: kotronis-plastics.gr, scti.gr

I ran this command: apt-cache policy certbot | grep -i Installed

It produced this output: Installed: 0.17.0-2+ubuntu16.04.1+certbot+1

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thank you a lot.

mnordhoff · January 18, 2019, 10:29am

kotronis-plastics.gr is okay – the webroot plugin uses HTTP validation.

scti.gr is not okay. In Certbot 0.17.0, the apache plugin uses TLS-SNI validation. You have to upgrade to a newer version of Certbot, or switch that certificate to authenticate using the webroot plugin too.

Do you know why you’re using Certbot 0.17.0? You installed it from the PPA, but the current version in the PPA is 0.28.0.

Can you “sudo apt update && sudo apt full-upgrade” or something to upgrade it?

yaylitzis · January 18, 2019, 10:46am

Thanks for the quick reply! I don’t know why I am still on 0.17.0 version.
I tried apt-get update but i get the same version. Will apt full-upgrade upgrade the version from 16.00 to newest (I don’t want that).

if I edit the config file of scti.gr domain and change the authenticator = apache to authenticator = webroot will be ok?

mnordhoff · January 18, 2019, 10:49am

It will upgrade Certbot -- and, possibly, any other software that coincidentally needs to be upgraded -- but it won't normally upgrade your OS.

You'd also need to set the [[webroot_map]] section, similar to how the other site is configured.

An easy way to do that is to run the Certbot command to issue a new certificate. E;g;:

sudo certbot --cert-name scti.gr-0001 -a webroot -i apache -w /var/www/html/scti -d scti.gr -d www.scti.gr

Specifying whatever domains are in the certificate and whatever the Apache document roots are.

You can also just edit the config file, but that's more error-prone.

yaylitzis · January 18, 2019, 10:54am

Thanks a lot! I will try these and I will come back with the resulted changes.

yaylitzis · January 20, 2019, 6:05pm

Hello @mnordhoff , I updated and upgraded my OS and now i have the newest version of certbot

Installed: 0.28.0-1+ubuntu16.04.1+certbot+4

Also, I issued a new cert with the command you posted and done! Now my scti.gr-0001.conf looks like:

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/scti.gr-0001
cert = /etc/letsencrypt/live/scti.gr-0001/cert.pem
privkey = /etc/letsencrypt/live/scti.gr-0001/privkey.pem
chain = /etc/letsencrypt/live/scti.gr-0001/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a
webroot_path = /var/www/html/scti,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
scti.gr = /var/www/html/scti
www.scti.gr = /var/www/html/scti

Thank you a lot!
I will donate to let’s encrypt for your super support!

system · February 19, 2019, 6:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to renew Cert in Ubuntu 16.04 Help	12	33643	June 28, 2018
Action required: Let's Encrypt certificate renewals Help	6	1728	March 28, 2019
Action required Let's Encrypt certificate renewals Help	13	6575	April 12, 2019
Action required: Let's Encrypt certificate renewals Help	2	16833	January 18, 2019
Manual Renewal and Email change Help	15	522	September 14, 2023

Help for "Action required: Let's Encrypt certificate renewals "

Related topics