I’ve received an email saying “You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.”.
But I didn’t find any article explaining how to implement this.
I’m using DigitalOcean droplet. Here’re other details:
Certbot version - 0.19.0
Ubuntu version - 16.04.3 LTS
You really need to install updates regularly. Daily.
No. The update command just downloads the list of packages. It doesn't do anything to any of them.
apt-get upgrade or apt upgrade will upgrade most packages.
Due to some changes to the Certbot packages last year, they won't be upgraded this time. You'll have to run "apt-get dist-upgrade" or "apt full-upgrade" to get over the hump.
Upgrading won't damage your certificates.
Installing more than a year worth of updates could break some of your software, though.
Edit: I wrote "apt upgrade" instead of "apt full-upgrade" in one sentence.
What this "apt-get dist-upgrade" command will do. Do I also need to create certificate using "sudo certbot --apache -d example.com -d www.example.com" after running "apt-get dist-upgrade". I'm not very much aware of server configuration. Please help.
dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a "smart" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command may therefore remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.
Some of the packages in the Certbot PPA were renamed last year, which "apt-get upgrade" can't figure out.
If you just want to renew your certificates, you probably don't have to do that, no.
All right. I'm executing the "apt-get dist-upgrade" command after that what command should I run to update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
But after sudo certbot certificates i see same date- 57 days