How to know, which domain validation is used in my site


#1

SSL is already activated. but i got an email regarding this: our Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

My domain is:testhire.klimb.io, hire.klimb.io, engage.klimb.io

I ran this command:

It produced this output:

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 8.21

PLease help me on this. Thanks


#2

Certbot version 8.12? I’m not sure if that’s a valid certbot version number… You are using certbot as an ACME client, right? Not any other ACME client?

If you are using certbot, you can figure out the challenge used by running certbot renew --dry-run and look for tls-sni-01, http-01 or dns-01 in the output.


#3

sorry, this is my certbot-auto version 0.30.2


#4

Hi @santosh

checking this domain something doesn’t look good ( https://check-your-website.server-daten.de/?q=engage.klimb.io ):

If you switch to http-01 validation, Certbot creates a file under /.well-known/acme-challenge, Letsencrypt checks if this file exists and if the file has the correct content.

But fetching such a file: First, there is a redirect http -> https, this is ok / good / not a problem.

But fetching the https version of an not existing file your server sends a http status 200. But the file doesn’t exist, so the tool expects a http status 404.

Another thing: Your certificate

CN=engage.klimb.io
	16.11.2018
	14.02.2019
	engage.klimb.io - 1 entry

is less then a month valide. So you can create a new certificate. Looks like your renew didn’t work, so it’s good to check that direct.

So first step:

sudo certbot renew --dry-run

to check, if you can create a new test certificate.


#5

I did run the command, sudo letsencrypt --version

certbot 0.19.0. and i ran certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xxxxx.xxxxx.io.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for engage.klimb.io
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/…/xxxxx.xxxxx.io/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/…/xxxxx.xxxxx.io/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

i have removed the domain name and replaced with xxxxx for security reason.
What does it mean. please help me on this.?


#6

Hi @JuergenAuer please need your help on this.
I did run the command, sudo letsencrypt --version

certbot 0.19.0. and i ran certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/xxxxx.xxxxx.io.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for engage.klimb.io
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is

/etc/letsencrypt/…/xxxxx.xxxxx.io/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/…/xxxxx.xxxxx.io/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

i have removed the domain name and replaced with xxxxx for security reason.
What does it mean. please help me on this.?


#7

Then it looks ok.

But you should update your old certbot.


#8

Okay, Thanks, Appreciated