Still receiving "Action required: Let's Encrypt certificate renewals" emails with older version


I have certbot 0.10.2-1~bpo8+1 on a Debian Jessie box (the version in Debian backports). This is a popular server operating system, supported by the volunteer vendor through April 2020. The certbot install was likely done using the certbot recommended install method at the time (Debian backports).

I have confirmed certbot is not using an SNI challenge, it is using http-01, see the --dry-run below.

I read at How to stop using TLS-SNI-01 with Certbot (linked in the email) that “If the version is less than 0.28, you need to upgrade your Certbot.”

Why? It seems to me that the dry run is telling me the renewal will succeed? Is there a reason beyond not using SNI to recommend an upgrade? What is the need I have, that you refer to in the sentence I quoted above?

I prefer, as a layer of protection and general good practice I recommend to others, to only install software from official distribution repositories. I don’t go outside of that practice without serious consideration. I can’t evaluate the options around certbot with my current lack of information.

Will my certificate continue to renew successfully? What problems exist in older versions of certbot?

root@jabber:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/jabber…com.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1):
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jabber…com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0118_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0118_csr-certbot.pem
Dry run: skipping renewal hook command: /usr/local/bin/
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/jabber…com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


The current recommendation for Jessie is to use certbot-auto -

Yeah. Numerous bugfixes and changes are not being backported to Debian’s 0.12 release, as far as I’m aware.

One example is the v1 API shutdown: End of Life Plan for ACMEv1 , which will affect clients before Jessie is EOL.

Your non-usage of TLS-SNI seems correct, though.

closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.