Renew issues after Debian Upgrade


#1

Helo I tried to renew my certificte but it won’t work. I did an upgrade to Debian 9 (from 6) and tehrefore I now use the included certbot. Unfortunately the renew process no longer works.

My domain is:

I ran this command:
certbot renew --dry-run

It produced this output:
https://pastebin.com/g6xQtTCe

Sorry linklimit is 20 for me…although i did not intend to set any link…

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

The version of certbot packaged in stretch (debian 9) is quite old. It’s recommended to use the version from stretch-backports instead. See https://certbot.eff.org/lets-encrypt/debianstretch-apache

(The version in backports seems to be 0.21.1 currently so I guess the note about “it hasn’t been packaged by your OS yet” might be out of date).


#3

Hey i did the update to the backports version however…the result stays the same

https://pastebin.com/eiXS89WM


#4

I have fortgot to menation that I have another config running (unfortunatly only for www.isepos.de) which works just fine…i’m really clueless…would it be an option to revoke all certificates and apply new ones?


#5

That almost certainly won’t help.

So what seems to be happening is it’s trying to renew using the tls-sni-01 challenge and failing for some reason. The tls-sni-01 challenge is deprecated anyway due to a security issue (it’s only available for renewals) so your best bet is probably to try to move away from it and use another challenge instead, rather than trying to get tls-sni-01 working again.

Since you’re now (presumably) using certbot 0.21.1, the simplest way to do that may be to try something like

certbot renew --preferred-challenges http-01

If it still doesn’t work, please share the new error output.


#6

That did the Job…thank you very much…i was not aware that tls-sni-01 was deprecated


#7

Great, glad you got it working.

More information here if you’re interested.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.