TLS-SNI-01 certbot 0.27.1 - confused

socialpilgrim · February 14, 2019, 10:42am

I have hosted site in Cetos 7 with webserver Apache .

I have renewed my certificate on 5th Feb and received mail for renewal on 12th Feb due to TLS-SNI-01 validation is reaching end-of-life.

When I run below command it was succeeded.

certbot renew --dry-run

So I am confused since in forum I got multiple answers.

Some says if no error then don’t do anything
some says if version is less than 0.28 then upgrade certbot client and renew.

Can some please confirm if I really need to upgrade ?

I have checked my certificate in https://www.sslshopper.com and my certificate is valid for next 3 months.

JuergenAuer · February 14, 2019, 10:53am

Hi @socialpilgrim

if you use --dry-run, then you use the testsystem. The test system doesn't support tls-sni-01.

So it should be ok.

Check your certificate in 2 months if the renew has worked.

rg305 · February 14, 2019, 10:23pm

Probably not a "requirement" for you, since you did get the --dry-run to pass with "Congratulations..."
But for best continued support, YES, you should be at 0.28.0 or higher

jmorahan · February 14, 2019, 10:44pm

If you are using certbot 0.27.1 - the apache, nginx and standalone plugins will use TLS-SNI-01 by default for renewals, as long as it is available, but when it becomes unavailable they will automatically switch to HTTP-01. So, you test your setup by running certbot renew --dry-run (as you did). That runs against the staging server, where TLS-SNI-01 is already disabled, so it simulates what will happen when it’s disabled for real (which will now be in March, though it’s also temporarily disabled at the moment). If that test works, then you know that your renewals will continue to work when TLS-SNI-01 is switched off and your certbot automatically switches to HTTP-01. However, that version of certbot will continue to use TLS-SNI-01 until that time, so you may get further warning emails about it. If you want to avoid that, you should upgrade to certbot 0.28.0 or later, which will switch to HTTP-01 by default immediately rather than waiting for TLS-SNI-01 to be switched off.

And as @rg305 says, it’s a good idea to upgrade anyway because (like any software) certbot’s new versions come with bug fixes and improvements that may be important or useful to you.

jsha · February 14, 2019, 11:27pm

I’ll confirm what everyone else has said here:

You’re almost certainly fine, BUT
You should arrange for all of your packages, including Certbot, to be automatically and continually up-to-date. Not only is this safer from a security perspective, it’s recommended in our Integration Guide. If you’re not doing regular upgrades, it’s likely that future changes will break renewal for you.

Thanks,
Jacob

system · March 16, 2019, 11:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.