How to update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)


#1

Hi,

I’ve received an email saying “You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.”.

But I didn’t find any article explaining how to implement this.

I’m using DigitalOcean droplet. Here’re other details:

Certbot version - 0.19.0
Ubuntu version - 16.04.3 LTS

Please share the command to perform this change.

Thanks.


#2

How did you install Certbot 0.19.0?

If you’re using the Certbot PPA, a much newer version is available.

Edit: Plus, “lsb_release -d” should say Ubuntu 16.04.5.


#3

“lsb_release -d” shows 16.04.3 LTS. I’ve installed certbot 1 or 2 years back, after that I haven’t updated that.


#4

How did you install Certbot?


#5

I’ve installed cretbot using these commnads:

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install python-certbot-apache

sudo certbot --apache -d example.com

sudo certbot --apache -d example.com -d www.example.com

Taken help from this article - https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04


#6

Have you run any updates since then?

What happens if you run “sudo apt update” and “sudo apt upgrade”?


#7

Not touched the server after that. Now if I run “sudo apt-get update” will it break existing certificates


#8

You really need to install updates regularly. Daily.

No. The update command just downloads the list of packages. It doesn’t do anything to any of them.

apt-get upgrade or apt upgrade will upgrade most packages.

Due to some changes to the Certbot packages last year, they won’t be upgraded this time. You’ll have to run “apt-get dist-upgrade” or “apt full-upgrade” to get over the hump.

Upgrading won’t damage your certificates.

Installing more than a year worth of updates could break some of your software, though.

Edit: I wrote “apt upgrade” instead of “apt full-upgrade” in one sentence.


#9

What this “apt-get dist-upgrade” command will do. Do I also need to create certificate using “sudo certbot --apache -d example.com -d www.example.com” after running “apt-get dist-upgrade”. I’m not very much aware of server configuration. Please help.


#10

To quote man apt-get:

dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a “smart” conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command may therefore remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Some of the packages in the Certbot PPA were renamed last year, which “apt-get upgrade” can’t figure out.

If you just want to renew your certificates, you probably don’t have to do that, no.


#11

All right. I’m executing the “apt-get dist-upgrade” command after that what command should I run to update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)


#12

Try running “sudo certbot renew --dry-run” and pasting its output.


#13

certbot 0.28.0
root@Example:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/example.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)



#14

Everything’s probably working, then. :slightly_smiling_face:

You should watch it and make sure your next automatic renewal works, but it seems okay.


#15

How to check when certificate will be renewed next time.


#16

sudo certbot certificates shows when it expires; by default, Certbot will start to consider it due for renewal 30 days before.


#17

Thanks for your help. I really appreciate your time.


#18

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

But after sudo certbot certificates i see same date- 57 days


#19

@DonikaV everything is working as intended for you! The dry run mode does not update your real certificates.


#20

so, what should i do because i got email with same content…
Thanks in advance