How update ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01)


#1

I just got an email letting me know that TLS-SNI-01 domain validation is going away.
How can i update my ACME client?

Thanks a lot
Giacomo Farella

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: moon.miprenoto.eu

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4.7

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Do you use certbot as the ACME client? How did you install it?

https://certbot.eff.org/ should guide you to the installation process.


#3

Can you answer the other questions in your post? What ACME client are you using? What version is it now? How did you install it? What OS are you using?


#4

ACME client: certbot
Version: 0.11.0
OS: ubuntu 14.04


#5

How did you install it?


#6

following the instructions https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache


#7

The current version of python-certbot-apache for Trusty from the PPA is 0.28.

You should be able to upgrade (or try going through installation again).

You could also have duplicate versions of Certbot installed:

dpkg --list | grep -i certbot

#8

is only necessary updating certbot to 0.28 version?


#9

0.28 is the first version that automatically chooses HTTP over TLS-SNI, yes. If you can upgrade to it, it is highly likely to be the only thing you need to do.

The only case where it may be insufficient is if you have some pre-configured preferred challenges already. This can be checked with:

grep -iR pref_challs /etc/letsencrypt/renewal/

#10

Now i have upgraded certbot to 0.28 version. Do i need anything?


#11

Yes, make sure your renewals are working:

certbot renew --dry-run

If that’s OK and there’s no warnings about TLS-SNI, you’re set.


#12

I received this email notification as well and wanted to share my findings.

I am on Ubuntu 16.04 using Apache web server. I first tried upgrading certbot from 0.21.0 to 0.28.0 (which, notably was “kept back” with a general apt-get upgrade, so I had to specify certbot to update only it and its dependencies) and the --dry-run output still showed warnings in red text about the TLS-SNI deprecation.

I realized the Apache plugin had to be updated as well to 0.28.0 and now the --dry-run completes without warnings and shows the http-01 challenge method is being used. Hope this helps.

sudo apt-get install certbot python3-certbot-apache

From the docs:

Some plugins offer an authenticator , meaning that they can satisfy challenges:

  • Apache plugin: (TLS-SNI-01) Tries to edit your Apache configuration files to temporarily serve a Certbot-generated certificate for a specified name. Use the Apache plugin when you’re running Certbot on a web server with Apache listening on port 443.

#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.