Update ACME client letsencrypt (not certbot)


#1

Hi there,

I received an email saying that TLS-SNI-01 validation is reaching end-of-life. And I need to update my ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01). Please, help me on the steps I should take to update my ACME client.

I have a certificate valid until April.

I do not use certbot but letsencrypt client.

My domain is: turing.iimas.unam.mx

I ran this command:

It produced this output:

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): ubuntu server 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site : no

The version of my client is: letsencrypt 0.4.1. I guess I installed it with the command sudo apt-get install python-letsencrypt-apache

I read here (How to stop using TLS-SNI-01 with Certbot) that letsencrypt used to be the name of what now is certbot. Should I uninstall letsencrypt and install certbot instead? How can I do this?

Cheers


#2

They are one and the same.

Very very old.
[ glad to see that you started using it so long ago! :slight_smile: ]
But, yes, it is time to update it…

Start here:


#3

Amazingly, 0.4.1 is still the official current version of Certbot for Ubuntu 16.04 :frowning: but there is also a PPA that will let you update to a newer version (described on the site that @rg305 linked to).


#4

Thanks guys!

I updated the certbot following the instructions in the site you pointed out to me. Certbot version is 0.28.0 Everything worked out. After renewing my certifitcate I got the output:

Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for turing.iimas.unam.mx
Waiting for verification…
Cleaning up challenges

This output refers to validation method http-01, so I supposed I’m not using TLS-SNI-01 anymore. I also set a crontab job to automatically renew the certificate.

I guess I’m good to go.

Thanks again!


#5

I’m glad to hear you got the new client and it renewed via HTTP-01.

This may have already been put in place (automatically).
Check cron and system timers:
crontab -l
sudo crontab -l
systemctl list-timers


#6

Thanks!

Apparently there is already a scheduled renewal as you said. See the output of the command systemctl list-timers

NEXT LEFT LAST PASSED UNIT ACTIVATES
wed 2019-02-13 09:46:41 CST 13h left n/a n/a certbot.timer certbot.service

How often is this renewal executed?

Cheers


#7

If I read that correctly:

It has no PASSED execution.
[which might be confused to read PAST execution]

So, I’m thinking that execution has never completed successfully.

Please show:
grep -i execstart /lib/systemd/system/certbot.service

Also show both:
systemctl status --full certbot.timer
systemctl status --full certbot.service


#8

What I got after running those commands is:

ExecStart=/usr/bin/certbot -q renew

● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since tue 2019-02-12 16:17:37 CST; 4h 41min ago

● certbot.service - Certbot
Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
Active: inactive (dead)
Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
https://letsencrypt.readthedocs.io/en/latest/


#9

So that answers that.

But I still don’t see the output I’m looking for.
Did you run the last command as root?
[sudo systemctl status --full certbot.service]
[does that show any additional output?]


#10

On a similar Ubuntu 16.04 system I get:
[additional PID info and SUCCESS status]

● certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
   Active: inactive (dead) since Tue 2019-02-12 16:11:31 EST; 6h ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
 Main PID: 54511 (code=exited, status=0/SUCCESS)

Feb 12 16:11:30 servername systemd[1]: Starting Certbot...
Feb 12 16:11:31 servername systemd[1]: Started Certbot.

#11

Not sure what you put in your cron job…
But this is what it is currently set to try twice a day:
[this may need some modification - yet to see]

Please show the output of:
/usr/bin/certbot renew
[without the -quietness]


#12

Hello,

that command, run as root, produces the output:

$ sudo systemctl status --full certbot.service
● certbot.service - Certbot
Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
Active: inactive (dead)
Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
https://letsencrypt.readthedocs.io/en/latest/

No PID or SUCCESS status :frowning:

What I got is

$ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/turing.iimas.unam.mx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
/etc/letsencrypt/live/turing.iimas.unam.mx/fullchain.pem expires on 2019-05-13 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


#13

OK, so the command does as expected (there is no cert to renew today).

The question now is does the system timer actually trigger and run the command?
I suppose you can check later on in the letsencrypt.log file to see if it did run automatically.
[Saving debug log to /var/log/letsencrypt/letsencrypt.log]


#14

Hi

I checked such log file, it has data of a dry-run I run yesterday and data of /usr/bin/certbot renew I run a couple of hours ago. No info of scheduled renewals is present, it seemed no renewal took place and no renewal is automated.

I also run:

sudo less /var/log/letsencrypt/letsencrypt.log
nohernan@turing:~$ sudo systemctl list-timers
NEXT -------------- LEFT -------------- LAST -------------- PASSED -------------- UNIT ------------- ACTIVATES
wed 19-02-13 — 6min left ----------- n/a ----------------- n/a ---------------------- certbot.timer — certbot.service

If the taks is executed twice, then a renewal should have taken place already because I installed certbot yesterday, but it is not the case because the LAST field says n/a

I think I have to manually create a cron job to have the renewal automated.

What do you think?


#15

I think it had 6 min left until it was supposed to try again.
Recheck the log file.


#16

Actually, it just took place.

Here is the output of /var/log/letsencrypt/letsencrypt.log

2019-02-13 18:11:19,246:DEBUG:certbot.main:certbot version: 0.28.0
2019-02-13 18:11:19,247:DEBUG:certbot.main:Arguments: [’-q’]
2019-02-13 18:11:19,247:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-13 18:11:19,260:DEBUG:certbot.log:Root logging level set at 30
2019-02-13 18:11:19,261:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-13 18:11:19,273:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f26811cc0b8> and installer <certbot.cli._Default object at 0x7f26811cc0b8>
2019-02-13 18:11:19,298:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-13 18:11:19,299:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-13 18:11:19,300:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f2684b18fd0>
2019-02-13 18:11:19,301:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2019-02-13 18:11:19,301:DEBUG:certbot.renewal:no renewal failures

Also, sudo systemctl list-timers outputs this:
NEXT ------- LEFT ------- LAST ------------------------------ PASSED ------- UNIT -------------- ACTIVATES
thr 19-02-14 - 12h left – wed 19-02-13 18:11:18 CST-- 5min ago ------ certbot.timer ----- certbot.service


#17

OK that is much better.
[it passed]

You should be good to go :slight_smile:


#18

Alright. Thank you so much! :+1: