Let's Encrypt certificate expiration notice for domain

My domain is: daweb.site, mail.daweb.site

I ran this command: N/A (automated e-mail)

It produced this output: Like most others, got a random e-mail about using TLS-SNI

My web server is (include version):Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m using certbot 0.23.0, from the standard repo’s and guide on https://certbot.eff.org/lets-encrypt/centosrhel7-apache. Trying to use “preferred-challenge http-01” gives me an error, but when I had run the --dry-run before without the challenge it succeeded. Error is:

Attempting to renew cert (daweb.site) from produced an unexpected error: Deserialization error: Could not decode ‘status’ (u’ready’): Deserialization error: Status not recognized. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/fullchain.pem (failure)

Based on reading other topics:
Renewal conf does not have standalone nor tls-sni

renew_before_expiry = 30 days

version = 0.23.0
archive_dir = directory/daweb.site
cert = directory/cert.pem
privkey =directory/privkey.pem
chain =directory/chain.pem
fullchain = directory/fullchain.pem

Options used in the renewal process

authenticator = apache
installer = apache
account = snipped

Output when certbot ran without the preferred challenge.

[root@DaLinux letsencrypt]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/daweb.site.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for daweb.site
http-01 challenge for mail.daweb.site
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/daweb.site/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Hi @sergeantmajorme

then your certbot is too old. The ready state is from 2018-07, you should update your certbot.

EPEL has Certbot 0.29.1.

The “ready” error is completely unrelated to the TLS-SNI deprecation and can be worked around – with some difficulty – but it would be simpler to just upgrade Certbot.

Thank you both for your help - after you noted that EPEL has 0.29.1, I decided to re-install the EPEL repo an did an update again at which point that version showed up. I have absolutely no idea why I had to re-install it, but the output looks a lot better now.

Thank you again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.