Upgrade guide for TLS-SNI-01 validation is reaching end-of-life?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Can you provide a link to a Tutorial / Quick start guide to help us update to the newer renewal methods before the end of life deadline is reached?

I had originally followed this tutorial:

Thank you!

Sincerely,

Joe Liaw

My domain is: https://irwin.sat.iit.edu/

I ran this command:

It produced this output:

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.04.5

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi @jliaw

check your config /etc/letsencrypt/renewal, if there is something like tls-sni - validation.

Perhaps update your certbot if your version is too old.

And add

--preferred-challenges http

to your command.


#3

Hi Juergen:

Thank you for your quick reply!

Here’s what’s in my config file under the renewal:

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = ************************** (I blanked this out for security purposes—let me know if you need this!)

server =
https://acme-v02.api.letsencrypt.org/directory

Can you please explain what the full command should be to add in the tags you suggested:


#4

Please show the command you run now to renew.
It should be as easy as adding that to it…
But we can check.


#5

Hi Rudy:

I think this is what is used to renew via a crontab job (copy and pasted from the online tutorial):

To run the renewal check daily, we will use cron ,
a standard system service for running periodic jobs. We tell cron what to do by opening and
editing a file called a crontab.

·
sudo crontab -e

Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following
line at the end of the file, then save and close it:

crontab

. . .

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part
of this line means “run the following command at 3:15 am, every day”. You may choose any time.

The renew command
for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells
Certbot not to output information or wait for user input.

cron will now run this command
daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.

Thanks for your help Rudy!

Regards,

Joe


#6

Please show:
sudo crontab -l


#7

Add there --preferred-challenges http

Next certificate update, check if it works.


#8

Hi Rudy:

This is what shows up in the output—thanks for your help!

Joe

# Edit this file to introduce tasks to be run by cron.

#9

That “looks” empty?


#10

Maybe this is the problem….thanks for any help you can offer!

–Joe

When I run:

apt list –upgradeable

This is what I get:

Listing… Done

certbot/xenial,xenial 0.28.0-1+ubuntu16.04.1+certbot+4 all [upgradable from: 0.26.1-1+ubuntu16.04.1+certbot+2]

linux-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

linux-headers-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

linux-image-generic-hwe-16.04/xenial-updates,xenial-security 4.15.0.43.64 amd64 [upgradable from: 4.15.0.29.51]

python3-certbot/xenial,xenial 0.28.0-1+ubuntu16.04.1+certbot+4 all [upgradable from: 0.26.1-1+ubuntu16.04.1+certbot+2]

ubuntu-minimal/xenial-updates 1.361.2 amd64 [upgradable from: 1.361.1]

So I tried to run:

Apt-get update

…. And then

Apt-get upgrade

….but I get this message:

apt-get upgrade

Reading package lists… Done

Building dependency tree

Reading state information… Done

Calculating upgrade… Done

The following packages have been kept back:

certbot linux-generic-hwe-16.04 linux-headers-generic-hwe-16.04 linux-image-generic-hwe-16.04 python3-certbot ubuntu-minimal

0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.


#11

Hi Juergen:

Should the command in crontab read:

15 3 * * * /usr/bin/certbot renew –quiet --preferred-challenges http

Thanks for your help!

–Joe


#12

Yes, that looks good.


#13

Please show:
systemctl list-timers


#14

Here’s the output Rudy:

systemctl list-timers

NEXT LEFT LAST PASSED UNIT ACTIVATES

Fri 2019-01-18 21:22:48 CST 6h left Fri 2019-01-18 09:58:13 CST 4h 41min ago apt-daily.timer apt-daily.service

Sat 2019-01-19 00:31:05 CST 9h left Fri 2019-01-18 13:36:14 CST 1h 3min ago certbot.timer certbot.service

Sat 2019-01-19 06:51:58 CST 16h left Fri 2019-01-18 06:40:32 CST 7h ago apt-daily-upgrade.timer apt-daily-upgrade.service

Sat 2019-01-19 14:09:46 CST 23h left Fri 2019-01-18 14:09:46 CST 30min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

4 timers listed.

Pass --all to see loaded but inactive timers, too.


#15

Thank you Juergen….I’ll go ahead and make your suggested change.

How can I verify if it works?

Thank you!


#16

Hi Rudy:

This is what I tried to post earlier—maybe it got cut off:


#17

You already have a systemctl timer.
You don’t need a cron job.

And don’t change anything in the timer/job until you have tested it works from the command line.


#18

Hi Rudy:

I’m just a classroom teacher, so I apologize my server admin skills are not as high as others!

Since the systemctl timer is calling the certbot renewal, can you tell me where I need to make the changes in order to migrate to the newer renewal system before the TLS-SNI-01 validation end-of-life deadline?

Thank you!

–Joe


#19
  1. Find the cerbot timer; see what that command line looks like.
  2. modify that command line to work with http authentication.
  3. once you have a working command line, then update the timer.

#20

Would the easiest way to fix this be to remove the old certbot, and then try and re-install it?

I think I would need to do:

apt-get purge --auto-remove certbot

….and then to follow a tutorial like this one (this is what I did before to get certbot running):

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Thanks for all your help Rudy!