Renewal issues, as so many others


#1

Hello everyone

I understand the current protocol certbot uses is becoming obsolete and unsupported. And while I have found references to certbot now supporting ALPN, it seems that is no longer the case.

Unfortunately, I can’t seem to find any noob friendly documentation on how to proceed now.

I have tried installing dehydrated.io. While registration worked, trying to actually generate certificates fails because connection to port 80 times out.

I proxy all http traffic to https. I do not intend to change that. Might that be the issue?

So what would be the best way to renew my certs in the future?

Regards,

Marco


#2

What do you mean by proxy?

If you mean you have an HTTP to HTTPS redirect, then you can use the HTTP validation method preferred by Certbot.

That only depends on your ISP not blocking port 80, and you having port 80 open on your firewall.

What’s your domain?


#3

You are right, at some point I seem to have blocked port 80 on the firewall.

Do I have to configure certbot to use http-01? How can I verify that certbot will use that method from now on?


#4

You can use this to both test HTTP-01 and if successful, it will persist that option for future renewals:

certbot renew --preferred-challenges http --dry-run

#5

Thanks, that was successful.

So to I just append the --preferred-challenges http to the crontab entry and be done with it?


#6

Not necessary to update your cron. If you take a peek at the files n /etc/letsencrypt/renewal/, the file for your domain should now be updated with the preferred challenge.


#7

cert = /etc/letsencrypt/live/glavas.ch/cert.pem
privkey = /etc/letsencrypt/live/glavas.ch/privkey.pem
chain = /etc/letsencrypt/live/glavas.ch/chain.pem
fullchain = /etc/letsencrypt/live/glavas.ch/fullchain.pem
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/glavas.ch

[renewalparams]
installer = apache
authenticator = apache
account = 0e41c6ce6ebdac3875a888e597444eae
server = https://acme-v02.api.letsencrypt.org/directory

I don’t think I see that.


#8

Ah, you are right. Silly me giving out wrong advice. It only updates the config if you do a live renewal (oops).

I think you will need to add under [renewalparams]:

pref_challs = http-01

and then do a bare test of your renewal:

certbot renew --dry-run

To other readers, the other method to do this is just to update Certbot to the latest version, and it will stop using TLS-SNI.


#9

Thank you! I guess we’ll see in february whether I did this right :D.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.