Renew issues after Debian Upgrade

isepos · March 18, 2018, 12:23pm

Helo I tried to renew my certificte but it won’t work. I did an upgrade to Debian 9 (from 6) and tehrefore I now use the included certbot. Unfortunately the renew process no longer works.

My domain is:

I ran this command:
certbot renew --dry-run

It produced this output:
https://pastebin.com/g6xQtTCe

Sorry linklimit is 20 for me…although i did not intend to set any link…

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

jmorahan · March 18, 2018, 12:34pm

The version of certbot packaged in stretch (debian 9) is quite old. It’s recommended to use the version from stretch-backports instead. See https://certbot.eff.org/lets-encrypt/debianstretch-apache

(The version in backports seems to be 0.21.1 currently so I guess the note about “it hasn’t been packaged by your OS yet” might be out of date).

isepos · March 18, 2018, 12:38pm

Hey i did the update to the backports version however…the result stays the same

https://pastebin.com/eiXS89WM

isepos · March 18, 2018, 12:41pm

I have fortgot to menation that I have another config running (unfortunatly only for www.isepos.de) which works just fine…i’m really clueless…would it be an option to revoke all certificates and apply new ones?

jmorahan · March 18, 2018, 12:57pm

That almost certainly won't help.

So what seems to be happening is it's trying to renew using the tls-sni-01 challenge and failing for some reason. The tls-sni-01 challenge is deprecated anyway due to a security issue (it's only available for renewals) so your best bet is probably to try to move away from it and use another challenge instead, rather than trying to get tls-sni-01 working again.

Since you're now (presumably) using certbot 0.21.1, the simplest way to do that may be to try something like

certbot renew --preferred-challenges http-01

If it still doesn't work, please share the new error output.

isepos · March 18, 2018, 1:39pm

That did the Job...thank you very much...i was not aware that tls-sni-01 was deprecated

jmorahan · March 18, 2018, 1:45pm

Great, glad you got it working.

More information here if you're interested.

system · April 17, 2018, 1:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.