TLS-SNI-01 client update


#1

I received an email to update my validation method…

My domain is: webtracking.tramaco.net
My web server is (include version): Apache 2 on Debian
certbot version : 0.10.2
I ran this command:certbot renew --dry-run
It produced this output:

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/webtracking.spediamar.it.conf

Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0019_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0019_csr-certbot.pem


Processing /etc/letsencrypt/renewal/webtracking.tramaco.net.conf

Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0020_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0020_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

No warning aboutTLS … but the line “tls-sni-01 challenge for webtracking.tramaco.net” seems to say otherwise … What can i do now?
Thanks!


#2

Which version of Debian are you using?


#3

i have debian version 9


#4

You have a few options.

You can upgrade to Certbot 0.28.0 from the stretch-backports repository.


#5

i have already stretch-backports repository in my apt source list… but no update is proposed… how can i force it? (deb http://ftp.debian.org/debian stretch-backports main)


#6

Have you tried certbot-auto ?


#7

According to this Debian Backports, backports are disabled by default.

I executed (as stated on that site)

sudo apt-get -t stretch-backports install certbot

to update to version 0.28.0.


#8

ok … I installed certbot-auto and I ran ./certbot-auto renew --dry-run … and I got the updates successfully …

  1. ./certbot-auto --version gives me version 0.30.0 but … certbot --version keeps showing 0.10 (the old version) … why ??
  2. ./certbot-auto renew --dry-run Produced this output

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/webtracking.spediamar.it.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem



Processing /etc/letsencrypt/renewal/webtracking.tramaco.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webtracking.tramaco.net) from /etc/letsencrypt/renewal/webtracking.tramaco.net.conf produced an unexpected error: Failed authorization procedure. webtracking.tramaco.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://webtracking.tramaco.net/.well-known/acme-challenge/FzZSbqvcoduwT-ygFMXGM5vA3PRsxRoU1vhzTWXMZSg: “\n<html xml:lang=“en”><head id=“j_idt2”><link type=“text/css” rel=“stylesheet” href=”/javax.faces.resource/fa/font". Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

so what can i do?
thanks.


#9

Hi @rbottoni

looks like you have a terrible error ( https://check-your-website.server-daten.de/?q=webtracking.tramaco.net ):

If you want to use http-validation, a file in /.well-known/acme-challenge is checked.

The redirect http -> https is ok, Letsencrypt follows these redirects. But then the tool reports a http status 404 - not found. Normally, this is ok, because the test file doesn’t exist.

But open this url manual:

HTTP Status 404 - Access is denied
You are not authorized to view this page
Error Code: 404
Error Description: /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Exception Type: n.d.
Exception Class: n.d.
Request URI : /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 

“Access is denied” is status 401 or 403, not 404, this is a wrong server configuration.

Solution: Allow anonymous access to /.well-known/acme-challenge. And fix your server. But this is only a problem testing your site.


#10

Hi,
the “/.well-known” folder does not really exist … should I create it?


#11

Yes, that’s always a good idea.

Create

/.well-known/acme-challenge

in your root directory and allow access, so

http://webtracking.tramaco.net/.well-known/acme-challenge/1234

or the redirect gets a correct 404 - not found.


#12

ok… this is my new output for : ./certbot-auto renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/webtracking.spediamar.it.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem



Processing /etc/letsencrypt/renewal/webtracking.tramaco.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webtracking.tramaco.net) from /etc/letsencrypt/renewal/webtracking.tramaco.net.conf produced an unexpected error: Failed authorization procedure. webtracking.tramaco.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://webtracking.tramaco.net/.well-known/acme-challenge/nNbXtEXqWHbPEeJb9pVVV614hGpBu4uNoLU_iMI0Ygo: “\n<html xml:lang=“en”><head id=“j_idt2”><link type=“text/css” rel=“stylesheet” href=”/javax.faces.resource/fa/font". Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

is now ok?


#13

No. Now your server sends a 404, but my browser says:

HTTP Status 404 - Access is denied
You are not authorized to view this page

So Letsencrypt can’t check a file.

Create a file under /.well-known/acme-challenge, file name 1234. Then check, if you can load this file via

https://webtracking.tramaco.net/.well-known/acme-challenge/1234

If yes, you have found your correct webroot. So use it:

certbot-auto run -a webroot -i apache -w yourWebRoot -d yourDomain

#14

Congratulations, all renewals succeeded!!!

Thanks JuergenAuer !!!

just one last question, … but only out of curiosity …

./certbot-auto --version gives me version 0.30.0 but … certbot --version keeps showing 0.10 (the old version) … why ??


#15

They’re separate. /usr/bin/certbot was installed and is managed by apt. certbot-auto installs itself into /opt/eff.org/certbot/. One doesn’t overwrite the other.

You can upgrade the Certbot apt packages to 0.28.0 by using the stretch-backports repository.

Edit: They both use your configuration and certificates in /etc/letsencrypt/ though.


#16

Yep, now you have a new certificate, valide 21. April 2019.

One is your very old certbot, the other is your new certbot-auto.


#17

still many many thanks !!