How Do I Know Which Is Using ACME TLS-SNI


#1

Hi,

I have several domains among two servers that are using certs from letsencrypt via Certbot. For the last year or so they’ve been set it and forget it; which is a problem because I don’t do this type of stuff but every few years and never remember how; but apparently I now need to make changes and I have no idea which ones are using TLS-SNI-01 or what I need to actually to to certbot to rectify this.

My domains are:

pickmy.org
nq4t.com
qth.nq4t.com


jay.is-lost.org
dewdude.ath.cx

My web servers are:

Server 1: Apache/2.4.18
Server 2: Apache/2.4.27

The operating systems my web servers runs on are:

Server 1: Ubuntu 16.04.5 LTS (2.6.32-042stab123.9 (SMP) x86_64)
Server 2: Ubuntu 17.10 (4.13.0-32-generic (SMP) x86_64)

My hosting provider, if applicable, is: “self”

I can login to a root shell on my machine (yes or no, or I don’t know): yes to both.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @_NQ4T

the validation method isn’t saved in the certificate. So check your config files

/etc/letsencrypt/renewal

if there is something like standalone (unclear) or tls-sni (critical).

And update your certbot.


#3

Ubuntu 17.10 has been unsupported since July. Let’s Encrypt aside, you need to upgrade it.

Edit: Your Ubuntu 16.04 system is using some sort of OpenVZ kernel from 2017.


#4

I didn’t ask your opinion on the age of my operating systems.

If you’re saying they’re too old…let me know. Otherwise…that’s not related to my issue and therefore information that I already know and is not wanted. It does nothing to slove my problem.


#5

Ubuntu 17.10 is no longer supported, and as such, new versions of Certbot are no longer packaged for it. So you won’t be able to take the usually recommended path of upgrading Certbot from the PPA on that system. Since you’re also probably missing important security updates from Canonical, the only responsible thing for us to recommend is that you upgrade to a supported version of Ubuntu :wink: However, if you need to renew a certificate before you can get around to that, you can still use the http-01 challenge with older versions of Certbot - it just won’t do so by default.

Ubuntu 16.04 is still supported, of course, and Cerbot 0.28.0 is available in the PPA. I’m not sure what @mnordhoff means about your kernel (I’m not disputing it, I just don’t understand it).

You can try this on your servers to see if you need to do anything:

sudo certbot renew --dry-run

If that works without any errors, then your certificate renewals should continue to work after tls-sni-01 is switched off (although since you could still be using it until that time, you might receive some more warning emails about it).

If it doesn’t work, let us know what error you get.


#6

It’s not relevant, it’s just spooky. It looks like a sketchy VPS provider kernel that never gets updated.