Hello,
As at the beginning of every month, it's time to renew my certificates.
My servers are all running debian 12 and certificate renewal always worked perfectly until last Friday.
Here's the message I received:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None Attempting to parse the version 2.1.0 renewal configuration file found at /etc/letsencrypt/renewal/xxx.com.conf with version 1.9.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.xxx.com
Waiting for verification...
Challenge failed for domain xxx.xxx.com
http-01 challenge for xxx.xxx.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.xxx.xxx
Type: serverInternal
Detail: During secondary validation: Remote PerformValidation RPC
failed
Unfortunately, an error on the ACME server prevented you from
completing authorization. Please try again later.
What's going on and can you help me or at least tell me what to do?
There was a recent Let's Encrypt domain validation issue and I'm pretty sure that's what this is:
Just try your renewals again, you should expect CA services to occasionally be down or have problems, most certificate automation is designed to allow for that by retrying failed renewals. certbot-auto sounds like something quite old?
Every month? Isn't that a little bit soon? Let's Encrypt recommends to renew 30 days before expiry and that would be 60 days into the lifetime of 90 days. And that's every 2 months, not monthly?
Well, every month at least gives us time to solve a problem if it arises.
This allows us to deal with the problem without stress
I know many people who renew their certificate every week or even more often.
If it's just a temporary technical problem, I'll start the renewal process this weekend and let you know how it goes.
Because 30 days isn't enough time for problem solving? Why would you require 60 days? That's absurd.
This is even more absurd and plain ridiculous. IMO these people should be banned from the service for abuse. Luckily for them I'm just a volunteer and not Let's Encrypt staff.
Given the proposed move to certs with (max) 45 day lifetimes, 30 days would be a pretty reasonable renewal interval. I don't think it's abuse of the service at all, if anything it exercises the service so that 45 day certs will be less of surprise https://www.sectigo.com/resource-library/45-day-certificate-lifespan-proposal
The real problem is having manual intervention to renew certs, which is something we should try to move away from (and most certificate users have over the last 8 or 9 years).
I'm talking about certs with a lifetime of 90 days, such as Let's Encrypt currently. I did not mean certs with shorter lifetimes. Renewing twice as early as recommended is IMO abusive and should also be completely unnecessary.
Yeah, I agree with Osiris. IF that proposal passes and WHEN Let's Encrypt has the infrastructure in place to support that THEN 30 days will be reasonable renewal period.
The proposal is a phased reduction to 45 days to which Let's Encrypt wouldn't be affected until late 2027 since their cert lifetime is already 90 days.
If the ultimate goal are very short (7 or 10 day certs) then by that logic we should all be renewing every 2-3 days now
