I received an email to update my validation method…
My domain is: webtracking.tramaco.net
My web server is (include version): Apache 2 on Debian
certbot version : 0.10.2
I ran this command:certbot renew --dry-run
It produced this output:
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0019_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0019_csr-certbot.pem
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0020_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0020_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
No warning aboutTLS … but the line “tls-sni-01 challenge for webtracking.tramaco.net” seems to say otherwise … What can i do now?
Thanks!
i have already stretch-backports repository in my apt source list… but no update is proposed… how can i force it? (deb http://ftp.debian.org/debian stretch-backports main)
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webtracking.tramaco.net) from /etc/letsencrypt/renewal/webtracking.tramaco.net.conf produced an unexpected error: Failed authorization procedure. webtracking.tramaco.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://webtracking.tramaco.net/.well-known/acme-challenge/FzZSbqvcoduwT-ygFMXGM5vA3PRsxRoU1vhzTWXMZSg: “\n<html xml:lang=“en”><head id=“j_idt2”><link type=“text/css” rel=“stylesheet” href=”/javax.faces.resource/fa/font". Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
If you want to use http-validation, a file in /.well-known/acme-challenge is checked.
The redirect http -> https is ok, Letsencrypt follows these redirects. But then the tool reports a http status 404 - not found. Normally, this is ok, because the test file doesn't exist.
But open this url manual:
HTTP Status 404 - Access is denied
You are not authorized to view this page
Error Code: 404
Error Description: /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Exception Type: n.d.
Exception Class: n.d.
Request URI : /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
"Access is denied" is status 401 or 403, not 404, this is a wrong server configuration.
Solution: Allow anonymous access to /.well-known/acme-challenge. And fix your server. But this is only a problem testing your site.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.spediamar.it
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webtracking.tramaco.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webtracking.tramaco.net) from /etc/letsencrypt/renewal/webtracking.tramaco.net.conf produced an unexpected error: Failed authorization procedure. webtracking.tramaco.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://webtracking.tramaco.net/.well-known/acme-challenge/nNbXtEXqWHbPEeJb9pVVV614hGpBu4uNoLU_iMI0Ygo: “\n<html xml:lang=“en”><head id=“j_idt2”><link type=“text/css” rel=“stylesheet” href=”/javax.faces.resource/fa/font". Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/webtracking.spediamar.it/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/webtracking.tramaco.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
They're separate. /usr/bin/certbot was installed and is managed by apt. certbot-auto installs itself into /opt/eff.org/certbot/. One doesn't overwrite the other.
You can upgrade the Certbot apt packages to 0.28.0 by using the stretch-backports repository.
Edit: They both use your configuration and certificates in /etc/letsencrypt/ though.