TLS-SNI-01 end-of-life

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hydrophase.com

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.03 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I donā€™t know): yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Please forgive my ignorance. I set up the certificates originally, likely through some kind of tutorial, and theyā€™ve been on autopilot since. Iā€™d really appreciate any guidance as to how to update whatever it is I need to update to fix the EOL issue. I have root CLI access. Thanks much in advance!!!

Hi @jmuessig

your certificate is ~~ new

CN=hydrophase.com
	09.12.2018
	09.03.2019
	hydrophase.com, www.hydrophase.com - 2 entries

So it's not a critical problem.

Check your config file ( /etc/letsencrypt/renewal) if there is tls-sni used.

Or try to renew your certificate with

--preferred-challenges http

Thanks much for the assistance, JuergenAuer!

This is what is in my config file, I donā€™t see any mention of TLS?

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/hydrophase.com
cert = /etc/letsencrypt/live/hydrophase.com/cert.pem
privkey = /etc/letsencrypt/live/hydrophase.com/privkey.pem
chain = /etc/letsencrypt/live/hydrophase.com/chain.pem
fullchain = /etc/letsencrypt/live/hydrophase.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account =

Your certbot looks old. Perhaps you should update.

I am missing an information about the validation method. Perhaps your config is so old, this information is missing.

I updated certbot to 0.28.0 with ā€œsudo apt-get dist-upgradeā€. Is there a way to regenerate the configuration files?

I ran ā€œcertbot renew --dry-runā€ and it produced this output. Since it says ā€œhttp-01 challengeā€, does this mean I do not have the TLS-SNI-01 domain validation?


Processing /etc/letsencrypt/renewal/hydrophase.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hydrophase.com
http-01 challenge for www.hydrophase.com
Waiting for verificationā€¦
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hydrophase.com/fullchain.pem



** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hydrophase.com/fullchain.pem (success)
** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates above have not been saved.)


Help, please? I think I have the TNS-SNI-01 validation issue solved (please see post directly above), but I would really appreciate a brief confirmation of this by anyone with knowledge, please. Thanks much!

Create a new certificate, then you know it.

To clarify further:
Create a brand new certificate (not just a renewal) and then you will surely know.

Thanks much, guys.

Idiot question here, but would I do that with certbot as I did originally? Will the new certificate overwrite the old one? or do I need to revoke or delete it first?

Itā€™s a normal renew, donā€™t revoke the old certificate.

The old will expire, then itā€™s dead.

Thanks JuergenAuer!

So, I could just run ā€œcertbot --apacheā€, select my domains, and this will create new certificates?

If you change your configuration badly, then it will not work.

So the only correct answer: I don't know it.

Do it. Then you will see, if it works.

PS:

Since I have startet my tool https://check-your-website.server-daten.de/ , I see so much terrible configurations.

It's impossible to say what will happen in a few weeks.

congrats on your tool, JuergenAuer!

I think everything went well. Below is the new .conf file, does this look correct, as far as you can tell?

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/hydrophase.com
cert = /etc/letsencrypt/live/hydrophase.com/cert.pem
privkey = /etc/letsencrypt/live/hydrophase.com/privkey.pem
chain = /etc/letsencrypt/live/hydrophase.com/chain.pem
fullchain = /etc/letsencrypt/live/hydrophase.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = ___
server = https://acme-v02.api.letsencrypt.org/directory

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.