Help with auto renewal through squid

I have set a letsencrypt cert for apache but I actually use the certificate in squid, so when it’s time to renew the certificate, the Authority doesn’t find the challenge since it reads from squid. I would love to make a bypass in squid for the verification but I don’t know what to bypass. Or is there another solution? Can anyone help me? Thank you very much!

command: (as root) /usr/share/certbot/certbot-auto renew --no-self-upgrade
output: (selection)

Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
from Received 2 certificate(s), first
certificate had names “,,,,,,,,,,

os: debian Linux 7

If you want to bypass requests to challenge files, you have to use http-01 authorization instead of tls-sni-01. Then you have to make sure, that URLs starting with /.well-known/acme-challenge/ are delivered locally.

Thank you for your answer! Let me see if I got that right: I have to make sure that I can access from a browser and then I change the command in order for certbot to use the http-01 authorization instead of tls-sni-01?

Yes, this should be it. You actually have to figure out where actually points to (which directory). Then to test, put a file test.txt there and try to access this via If this works, you can happily use the http-01 authorization via webroot plugin.

NOTE I had to edit this, these must be http-URLs not https.

Thank you again for your reply!

Now I can access (no https).
As I understand (please let me know if I’m wrong) I tell certbot-auto to use the http-01 authorization by adding “–preferred-challenges=http” to the command so the final command is: “/usr/share/certbot/certbot-auto renew --no-self-upgrade --preferred-challenges=http” ran as root. But now I get this error:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Thank you again for continuing to help…

Try the webroot-plugin:

certbot-auto --webroot -d domain.tld,www.domain.tld -w /path

The path should be the directory which contains the directory .well-known

Can that be used in order to renew an existing certificate? - it is asking me to use also the “certonly” command:

With the webroot plugin, you probably want to use the “certonly” command

You are right, have a look into the documentation:

Beautiful! I want to thank you and also to share this answer so that it would help maybe others:

This is the command that made the renewal of the certificate (with the made available to any browser as explained above):

/usr/share/certbot/certbot-auto certonly -n -d -d -d -d -d -d -d -d -d -d -d --webroot -w /var/www/carta/

A short explanation that I got from if the domains are all listed like in the certificate, then a renewal is attempted. If one domain is missing then the command will issue a new certificate - I didn’t want that so I listed every domain with “-d” in front of it. The “–webroot” makes it that the validation of the domain will happen by placing a file in the “.well-known/acme-challenge/” which will be found in the folder specified after the “-w” option.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.