[solved?] Clarification on ACME TLS-SNI-01 sunset


#1

Like a lot of people who post here, this isn’t my day job. Maybe for people who work with certs full time, these are obvious.

But I think I resolved this by issue when I checked the version of certbot-auto and it autoupdated from 0.27.1 to 0.30.2 (because my subsequent dry-run reported that all was well).

The second step of the instructions (using sed to do something) was confusing. It wasn’t clear where the renewal files are located (/etc/letsencrypt/renewal/) and those files don’t match /tls/i or /sni/i :

# pwd
/etc/letsencrypt/renewal
# grep -i tls *
# grep -i sni *
#

So, I guess it was a matter of using an older version of certbot that was the problem, yes? Having a successful dry-run means that everything is OK, right?

Maybe that’s obvious, but since I cannot see why (other than possible an older CB client) I was using TLS-SNI-01, and since it’s not sunset yet, it’s not 100% clear that a successful dry-run means that I won’t have trouble on 2/13 and after 3/13.

EDIT: I notice that my dry-run output specifies the challenge type: “http-01 challenge for acumented.com”, so I do think I am OK now.


#2

TLS-SNI-01 has been disabled already on the staging server, which is used for dry-run renewals. So if that worked, it will work when TLS-SNI-01 is disabled on the live server too.


closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.