How to update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)

Hi,

I’ve received an email saying “You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.”.

But I didn’t find any article explaining how to implement this.

I’m using DigitalOcean droplet. Here’re other details:

Certbot version - 0.19.0
Ubuntu version - 16.04.3 LTS

Please share the command to perform this change.

Thanks.

How did you install Certbot 0.19.0?

If you’re using the Certbot PPA, a much newer version is available.

Edit: Plus, “lsb_release -d” should say Ubuntu 16.04.5.

1 Like

"lsb_release -d" shows 16.04.3 LTS. I've installed certbot 1 or 2 years back, after that I haven't updated that.

How did you install Certbot?

I’ve installed cretbot using these commnads:

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install python-certbot-apache

sudo certbot --apache -d example.com

sudo certbot --apache -d example.com -d www.example.com

Taken help from this article - https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

Have you run any updates since then?

What happens if you run “sudo apt update” and “sudo apt upgrade”?

Not touched the server after that. Now if I run “sudo apt-get update” will it break existing certificates

You really need to install updates regularly. Daily.

No. The update command just downloads the list of packages. It doesn't do anything to any of them.

apt-get upgrade or apt upgrade will upgrade most packages.

Due to some changes to the Certbot packages last year, they won't be upgraded this time. You'll have to run "apt-get dist-upgrade" or "apt full-upgrade" to get over the hump.

Upgrading won't damage your certificates.

Installing more than a year worth of updates could break some of your software, though.

Edit: I wrote "apt upgrade" instead of "apt full-upgrade" in one sentence.

2 Likes

What this "apt-get dist-upgrade" command will do. Do I also need to create certificate using "sudo certbot --apache -d example.com -d www.example.com" after running "apt-get dist-upgrade". I'm not very much aware of server configuration. Please help.

To quote man apt-get:

dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a "smart" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command may therefore remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Some of the packages in the Certbot PPA were renamed last year, which "apt-get upgrade" can't figure out.

If you just want to renew your certificates, you probably don't have to do that, no.

1 Like

All right. I'm executing the "apt-get dist-upgrade" command after that what command should I run to update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)

Try running “sudo certbot renew --dry-run” and pasting its output.

certbot 0.28.0
root@Example:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/example.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Everything’s probably working, then. :slightly_smiling_face:

You should watch it and make sure your next automatic renewal works, but it seems okay.

How to check when certificate will be renewed next time.

sudo certbot certificates shows when it expires; by default, Certbot will start to consider it due for renewal 30 days before.

Thanks for your help. I really appreciate your time.

2 Likes

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

But after sudo certbot certificates i see same date- 57 days

1 Like

@DonikaV everything is working as intended for you! The dry run mode does not update your real certificates.

so, what should i do because i got email with same content…
Thanks in advance