Upgrade guide for TLS-SNI-01 validation is reaching end-of-life?

jliaw · January 18, 2019, 2:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Can you provide a link to a Tutorial / Quick start guide to help us update to the newer renewal methods before the end of life deadline is reached?

I had originally followed this tutorial:

Thank you!

Sincerely,

Joe Liaw

My domain is: https://irwin.sat.iit.edu/

I ran this command:

It produced this output:

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.04.5

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

JuergenAuer · January 18, 2019, 3:18pm

Hi @jliaw

check your config /etc/letsencrypt/renewal, if there is something like tls-sni - validation.

Perhaps update your certbot if your version is too old.

And add

--preferred-challenges http

to your command.

jliaw · January 18, 2019, 3:39pm

Hi Juergen:

Thank you for your quick reply!

Here’s what’s in my config file under the renewal:

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = ************************** (I blanked this out for security purposes—let me know if you need this!)

server =
https://acme-v02.api.letsencrypt.org/directory

Can you please explain what the full command should be to add in the tags you suggested:

rg305 · January 18, 2019, 4:54pm

Please show the command you run now to renew.
It should be as easy as adding that to it…
But we can check.

jliaw · January 18, 2019, 7:46pm

Hi Rudy:

I think this is what is used to renew via a crontab job (copy and pasted from the online tutorial):

To run the renewal check daily, we will use cron ,
a standard system service for running periodic jobs. We tell cron what to do by opening and
editing a file called a crontab.

·
sudo crontab -e

Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following
line at the end of the file, then save and close it:

crontab

. . .

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part
of this line means “run the following command at 3:15 am, every day”. You may choose any time.

The renew command
for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells
Certbot not to output information or wait for user input.

cron will now run this command
daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.

Thanks for your help Rudy!

Regards,

Joe

rg305 · January 18, 2019, 7:47pm

Please show:
sudo crontab -l

JuergenAuer · January 18, 2019, 7:52pm

Add there --preferred-challenges http

Next certificate update, check if it works.

jliaw · January 18, 2019, 8:00pm

Hi Rudy:

This is what shows up in the output—thanks for your help!

Joe

# Edit this file to introduce tasks to be run by cron.

rg305 · January 18, 2019, 8:02pm

That “looks” empty?

jliaw · January 18, 2019, 8:03pm

Maybe this is the problem….thanks for any help you can offer!

–Joe

When I run:

apt list –upgradeable

This is what I get:

Listing… Done

certbot/xenial,xenial 0.28.0-1+ubuntu16.04.1+certbot+4 all [upgradable from: 0.26.1-1+ubuntu16.04.1+certbot+2]

linux-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

linux-headers-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

linux-image-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

python3-certbot/xenial,xenial 0.28.0-1+ubuntu16.04.1+certbot+4 all [upgradable from: 0.26.1-1+ubuntu16.04.1+certbot+2]

ubuntu-minimal/xenial-updates 1.361.2 amd64 [upgradable from: 1.361.1]

So I tried to run:

Apt-get update

…. And then

Apt-get upgrade

….but I get this message:

apt-get upgrade

Reading package lists… Done

Building dependency tree

Reading state information… Done

Calculating upgrade… Done

The following packages have been kept back:

certbot linux-generic-hwe-16.04 linux-headers-generic-hwe-16.04 linux-image-generic-hwe-16.04 python3-certbot ubuntu-minimal

0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.

jliaw · January 18, 2019, 8:05pm

Hi Juergen:

Should the command in crontab read:

15 3 * * * /usr/bin/certbot renew –quiet --preferred-challenges http

Thanks for your help!

–Joe

JuergenAuer · January 18, 2019, 8:09pm

Yes, that looks good.

rg305 · January 18, 2019, 8:17pm

Please show:
systemctl list-timers

jliaw · January 18, 2019, 8:40pm

Here’s the output Rudy:

systemctl list-timers

NEXT LEFT LAST PASSED UNIT ACTIVATES

Fri 2019-01-18 21:22:48 CST 6h left Fri 2019-01-18 09:58:13 CST 4h 41min ago apt-daily.timer apt-daily.service

Sat 2019-01-19 00:31:05 CST 9h left Fri 2019-01-18 13:36:14 CST 1h 3min ago certbot.timer certbot.service

Sat 2019-01-19 06:51:58 CST 16h left Fri 2019-01-18 06:40:32 CST 7h ago apt-daily-upgrade.timer apt-daily-upgrade.service

Sat 2019-01-19 14:09:46 CST 23h left Fri 2019-01-18 14:09:46 CST 30min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

4 timers listed.

Pass --all to see loaded but inactive timers, too.

jliaw · January 18, 2019, 8:41pm

Thank you Juergen….I’ll go ahead and make your suggested change.

How can I verify if it works?

Thank you!

jliaw · January 18, 2019, 8:42pm

Hi Rudy:

This is what I tried to post earlier—maybe it got cut off:

rg305 · January 18, 2019, 8:56pm

You already have a systemctl timer.
You don't need a cron job.

And don't change anything in the timer/job until you have tested it works from the command line.

jliaw · January 18, 2019, 9:10pm

Hi Rudy:

I’m just a classroom teacher, so I apologize my server admin skills are not as high as others!

Since the systemctl timer is calling the certbot renewal, can you tell me where I need to make the changes in order to migrate to the newer renewal system before the TLS-SNI-01 validation end-of-life deadline?

Thank you!

–Joe

rg305 · January 18, 2019, 9:12pm

Find the cerbot timer; see what that command line looks like.
modify that command line to work with http authentication.
once you have a working command line, then update the timer.

jliaw · January 18, 2019, 9:14pm

Would the easiest way to fix this be to remove the old certbot, and then try and re-install it?

I think I would need to do:

apt-get purge --auto-remove certbot

….and then to follow a tutorial like this one (this is what I did before to get certbot running):

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Thanks for all your help Rudy!