Updating your ACME client bc TLS-SNI-01


#1

My domain is: maelyt.net (+ some subdomains + other domains)

I ran this command: letsencrypt renew (after I shutdown the nginx)

It produced this output:

root@xyz:~# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mabikra.de.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rent-a-minion.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/miachan.de.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/maelyt.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/noahkun.de.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/yamlet.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mabikra.de/fullchain.pem expires on 2019-02-23 (skipped)
  /etc/letsencrypt/live/rent-a-minion.net/fullchain.pem expires on 2019-03-31 (skipped)
  /etc/letsencrypt/live/miachan.de/fullchain.pem expires on 2019-02-23 (skipped)
  /etc/letsencrypt/live/maelyt.net/fullchain.pem expires on 2019-03-03 (skipped)
  /etc/letsencrypt/live/noahkun.de/fullchain.pem expires on 2019-02-23 (skipped)
  /etc/letsencrypt/live/yamlet.net/fullchain.pem expires on 2019-02-23 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

My web server is (include version): nginx/1.14.0 (Ubuntu) [needs to be toggled off for renew]

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS (64bit)

My hosting provider, if applicable, is: own vserver

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

i had the same “problem”. For me it seems that it doesnt try to update because your certs wonts get invalid in the next 30 days. E.g. my cert was valid until 15.03.2019 so a renew also doesnt work. so i forced it with following command:

/usr/bin/certbot --force-renewal

After some question (wanna redirect all requests to https, …) i restarted my apache (just to get sure) and checked the certificate again. Now its valid until 18.04.2019, so this worked for me.


#3

--foce-renewal helped me, too.

But certbot still uses TLS-SNI-01:

$ sudo ./certbot-auto renew --force-renewal
...
Processing /etc/letsencrypt/renewal/foo.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for foo.example.com
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/foo.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How do I tell certbot to not use TLS-SNI-01?


#4

You can try:

--preferred-challenges http

or updating your renewal parameters file under /etc/letsencrypt/renewal so that it shows:

[renewalparams]
pref_challs = http-01

Please don’t use --force-renewal guys, you can update your preferences without actually using up your rate limits.

Edit: this post previously had wrong advice regarding --dry-run.


#5

Works!

Maybe the email received by so many of us should at least hint on how certbot is supposed to be used.


#6

Yeah that email was not ideal :frowning: .


#7

Hello,

So the command to use is :

sudo ./certbot-auto renew --preferred-challenges http --dry-run ?

Thanks in advance


#9

–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)
means I need to update my client?


#10

If you can show the full command that you are trying to use, I can suggest a suitable invocation.


#11

root@ScolaServer2:/etc/letsencrypt/renewal# certbot --preferred-challenges http --dry-run
–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)


#12

You need to run certbot renew --preferred-challenges http --dry-run. You were missing the renew command.


#13

Ah, I see. It works now! Thanks


#14

certbot renew --preferred-challenges http --dry-run was successful, but I have no certbot-auto command.

So I changed some confs in /etc/letsencrypt/renewal/ with this part

[renewalparams]
pref_challs = http

But after certbot renew --dry-run all domains run with http-01 challenge? Is this the “http” challenge or the deprecated one? I have no old log. So doesn’t I need changing the confs or does the change failed?


#15

This is the correct.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.