Renewal issues, as so many others

Marco2G · January 18, 2019, 8:31am

Hello everyone

I understand the current protocol certbot uses is becoming obsolete and unsupported. And while I have found references to certbot now supporting ALPN, it seems that is no longer the case.

Unfortunately, I can’t seem to find any noob friendly documentation on how to proceed now.

I have tried installing dehydrated.io. While registration worked, trying to actually generate certificates fails because connection to port 80 times out.

I proxy all http traffic to https. I do not intend to change that. Might that be the issue?

So what would be the best way to renew my certs in the future?

Regards,

Marco

_az · January 18, 2019, 8:34am

What do you mean by proxy?

If you mean you have an HTTP to HTTPS redirect, then you can use the HTTP validation method preferred by Certbot.

That only depends on your ISP not blocking port 80, and you having port 80 open on your firewall.

What's your domain?

Marco2G · January 18, 2019, 8:50am

You are right, at some point I seem to have blocked port 80 on the firewall.

Do I have to configure certbot to use http-01? How can I verify that certbot will use that method from now on?

_az · January 18, 2019, 8:52am

You can use this to both test HTTP-01 and if successful, it will persist that option for future renewals:

certbot renew --preferred-challenges http --dry-run

Marco2G · January 18, 2019, 9:02am

Thanks, that was successful.

So to I just append the --preferred-challenges http to the crontab entry and be done with it?

_az · January 18, 2019, 9:05am

Not necessary to update your cron. If you take a peek at the files n /etc/letsencrypt/renewal/, the file for your domain should now be updated with the preferred challenge.

Marco2G · January 18, 2019, 9:08am

cert = /etc/letsencrypt/live/glavas.ch/cert.pem
privkey = /etc/letsencrypt/live/glavas.ch/privkey.pem
chain = /etc/letsencrypt/live/glavas.ch/chain.pem
fullchain = /etc/letsencrypt/live/glavas.ch/fullchain.pem
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/glavas.ch

[renewalparams]
installer = apache
authenticator = apache
account = 0e41c6ce6ebdac3875a888e597444eae
server = https://acme-v02.api.letsencrypt.org/directory

I don’t think I see that.

_az · January 18, 2019, 9:15am

Ah, you are right. Silly me giving out wrong advice. It only updates the config if you do a live renewal (oops).

I think you will need to add under [renewalparams]:

pref_challs = http-01

and then do a bare test of your renewal:

certbot renew --dry-run

To other readers, the other method to do this is just to update Certbot to the latest version, and it will stop using TLS-SNI.

Marco2G · January 18, 2019, 9:32am

Thank you! I guess we’ll see in february whether I did this right :D.

system · February 17, 2019, 9:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal problems after upgrading certbot Help	13	1889	March 18, 2019
Cannot renew certbot Help	4	188	August 8, 2024
Certbot says certificate doesn't need renewal but I got email of certificate expiry and https won't work anymore Help	3	1857	May 7, 2017
About certbot webroot renew Help	10	793	January 20, 2021
Multiple issues with renewal Help	4	639	January 12, 2020

Renewal issues, as so many others

Related topics