I received a second Action required: Let’s Encrypt certificate renewals email yesterday: Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation…
I have shell access to this Ubuntu 16.04 Apache 2.4.18 VPS. I began to follow the 3-step procedure posted by author bmw,
Step 1 (Ensure certbot or certbot-auto version >= 28)
jk@bird:~$ certbot --version
certbot 0.26.1
jk@bird:~$ certbot-auto --version
certbot-auto: command not found
jk@bird:~$ whereis certbot-auto
certbot-auto:
Conclusion: I have certbot, not certbot-auto, and this certbot needs to be updated. So I updated it using apt-get
and friends. Looks good now:
jk@bird:~$ certbot --version
certbot 0.28.0
Step 2 (Update .conf
files)
The long one-liner command in bmw’s post apparently invokes sed
to apply a patch to all files in /etc/letsencrypt/renewal/
, replacing any qualified occurrences of the string tls-sni-01 with http-01. Makes sense. But before applying this, I thought I’d have a look at the single file in that directory. I found this contents:
# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/sheepsystems.com
cert = /etc/letsencrypt/live/sheepsystems.com/cert.pem
privkey = /etc/letsencrypt/live/sheepsystems.com/privkey.pem
chain = /etc/letsencrypt/live/sheepsystems.com/chain.pem
fullchain = /etc/letsencrypt/live/sheepsystems.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 20a12c3be1cdb0a0aa032a4d0a2feb70
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache
installer = apache
Hmmmm, there are no occurrences of string tls=sni-01. So that sed
command will have no effect. Another surprise: There is not even any mention of validation method.
That version = 0.26.1 is apparently a reference to my old certbot installation. To see if maybe running the new certbot 0.28.0 would update that .conf file, I decided to skip up to…
Step 3 (See if it worked)
I ran
sudo certbot renew
both with and without --dry-run
. But the .conf
file remained the same. It still contains version = 0.26.1
.
One final surprise. In both cases, the results indicated that http-01
was used, and congratulated me on success. Snippets:
. . .
Performing the following challenges:
http-01 challenge for sheepsystems.com
http-01 challenge for www.sheepsystems.com
Waiting for verification...
. . .
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/sheepsystems.com/fullchain.pem (success)
With all of these surprises, I feel that I somehow got into the wrong universe. May someone please tell me where I am?