Help for "Action required: Let's Encrypt certificate renewals "


#1

Hello, I received the email (Action required: Let’s Encrypt certificate renewals). Can you help me please, how to chenk if my settings are ok?

I checked the certbot version from this command apt-cache policy certbot | grep -i Installed and the output was Installed: 0.17.0-2+ubuntu16.04.1+certbot+1

I post here the content of my 2 files in /etc/letsencrypt/renewal/

1 domain: kotronis-plastics.gr

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite

2 domain: scti.gr

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr-0001
cert = /etc/letsencrypt/live/scti.gr-0001/cert.pem
privkey = /etc/letsencrypt/live/scti.gr-0001/privkey.pem
chain = /etc/letsencrypt/live/scti.gr-0001/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a

My domain is: kotronis-plastics.gr, scti.gr

I ran this command: apt-cache policy certbot | grep -i Installed

It produced this output: Installed: 0.17.0-2+ubuntu16.04.1+certbot+1

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thank you a lot.


#2

kotronis-plastics.gr is okay – the webroot plugin uses HTTP validation.

scti.gr is not okay. In Certbot 0.17.0, the apache plugin uses TLS-SNI validation. You have to upgrade to a newer version of Certbot, or switch that certificate to authenticate using the webroot plugin too.

Do you know why you’re using Certbot 0.17.0? You installed it from the PPA, but the current version in the PPA is 0.28.0.

Can you “sudo apt update && sudo apt full-upgrade” or something to upgrade it?


#3

Thanks for the quick reply! I don’t know why I am still on 0.17.0 version.
I tried apt-get update but i get the same version. Will apt full-upgrade upgrade the version from 16.00 to newest (I don’t want that).

if I edit the config file of scti.gr domain and change the authenticator = apache to authenticator = webroot will be ok?


#4

It will upgrade Certbot – and, possibly, any other software that coincidentally needs to be upgraded – but it won’t normally upgrade your OS.

You’d also need to set the [[webroot_map]] section, similar to how the other site is configured.

An easy way to do that is to run the Certbot command to issue a new certificate. E;g;:

sudo certbot --cert-name scti.gr-0001 -a webroot -i apache -w /var/www/html/scti -d scti.gr -d www.scti.gr

Specifying whatever domains are in the certificate and whatever the Apache document roots are.

You can also just edit the config file, but that’s more error-prone.


#5

Thanks a lot! I will try these and I will come back with the resulted changes.


#6

Hello @mnordhoff , I updated and upgraded my OS and now i have the newest version of certbot :hugs:

Installed: 0.28.0-1+ubuntu16.04.1+certbot+4

Also, I issued a new cert with the command you posted and done! Now my scti.gr-0001.conf looks like:

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/scti.gr-0001
cert = /etc/letsencrypt/live/scti.gr-0001/cert.pem
privkey = /etc/letsencrypt/live/scti.gr-0001/privkey.pem
chain = /etc/letsencrypt/live/scti.gr-0001/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 40edc6c1ddd0b612e2e3216a3de2f94a
webroot_path = /var/www/html/scti,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
scti.gr = /var/www/html/scti
www.scti.gr = /var/www/html/scti

Thank you a lot!
I will donate to let’s encrypt for your super support!


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.