Upgraded certbot renew --dry-run shows it still using tls-sni-01 unless overridden

abirkill · January 20, 2019, 12:01am

Hi,

Like many others, I received the e-mail warning that I was using ACME TLS-SNI-01 domain validation, so I followed the instructions here to upgrade to the latest version of certbot (0.28.0 is what I now have, to be specific).

I also checked to make sure there were no preferred-challenges preferences set in any configuration files, which there weren’t, and I then ran:

sudo certbot renew --dry-run

to test that everything was working correctly. However, for some domains I see it using the http-01 challenge, and for other domains it’s continuing to use the tls-sni-01 challenge.

However, if I run:

sudo certbot renew --dry-run --preferred-challenges http-01,dns-01

then all domains use the http-01 challenge, so there doesn’t seem to be any reason that http-01 won’t work.

Is this something that will resolve itself automatically when tls-sni-01 renewals are disabled, or is there something in my configuration incorrectly telling certbot to use tls-sni-01 and will prevent automatic renewals after February 13th?

Here’s the configuration file for one of the affected domains:

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/telemetry.racecentres.com
cert = /etc/letsencrypt/live/telemetry.racecentres.com/cert.pem
privkey = /etc/letsencrypt/live/telemetry.racecentres.com/privkey.pem
chain = /etc/letsencrypt/live/telemetry.racecentres.com/chain.pem
fullchain = /etc/letsencrypt/live/telemetry.racecentres.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = <removed>

Here’s the output from certbot when I don’t specify any preferred challenges:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/telemetry.racecentres.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for telemetry.racecentres.com
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/telemetry.racecentres.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And here’s the output from certbot when I tell it to prefer http-01:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/telemetry.racecentres.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for telemetry.racecentres.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/telemetry.racecentres.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I could change the cron job to specify the preferred challenges, but I’d prefer to avoid doing that unless I have to.

Apologies if this has been asked before, I had a search and couldn’t find anything quite the same.

_az · January 20, 2019, 12:22am

Are you 100% sure it’s 0.28+?

Maybe you installed the new version from the PPA, but the old non-PPA version is still installed as well?

which -a certbot
certbot --version

abirkill · January 20, 2019, 12:32am

Everything appears correct:

$ which -a certbot
/usr/bin/certbot
$ certbot --version
certbot 0.28.0
$ sudo certbot --version
certbot 0.28.0

_az · January 20, 2019, 12:53am

Another place the preference may come from is cli.ini, if it exists.

By default, the following locations are searched:

/etc/letsencrypt/cli.ini

$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).

Does anything at all mention it in the directory?

grep -RE "(pref_challs|challenges)" /etc/letsencrypt/

Something that might help is running the dry-run with -vvv. If you have a config file set somewhere, it will spit out (early on):

Var pref_challs=tls-sni-01 (set by user).
Var dry_run=True (set by user).

and I'd double check that all of your Certbot packages are in sync with respect to version:

dpkg --list | grep -E "python.?-certbot"

abirkill · January 20, 2019, 1:17am

Thanks very much for your help, that’s fixed it! The packages were out of sync!

For anyone else who has this problem, firstly I checked my cli.ini file, which didn’t mention anything relevant:

$ cat /etc/letsencrypt/cli.ini
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

There were no cli.ini files in the other locations mentioned.

There were no matches for:

$ sudo grep -RE "(pref_challs|challenges)" /etc/letsencrypt/

The only variables that -vvv appears to mention were:

Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var account={'server'} (set by user).

However, the final suggestion of using dpkg to check that the other certbot packages were in sync did show that there were mismatches:

$ dpkg --list | grep -E "python.?-certbot"
ii  python-certbot-nginx             0.25.0-2+ubuntu14.04.1+certbot+1           all          transitional dummy package
ii  python3-certbot                  0.28.0-1+ubuntu14.04.1+certbot+4           all          main library for certbot
ii  python3-certbot-nginx            0.22.0-1+ubuntu14.04.1+certbot+2           all          Nginx plugin for Certbot

I upgraded the outdated packages:

$ sudo apt-get install python3-certbot-nginx
$ sudo apt-get install python-certbot-nginx

Which fixed the dpkg output to look correct:

$ dpkg --list | grep -E "python.?-certbot"
ii  python-certbot-nginx             0.28.0-1+ubuntu14.04.1+certbot+3           all          transitional dummy package
ii  python3-certbot                  0.28.0-1+ubuntu14.04.1+certbot+4           all          main library for certbot
ii  python3-certbot-nginx            0.28.0-1+ubuntu14.04.1+certbot+3           all          Nginx plugin for Certbot

And now running sudo certbot renew --dry-run shows all challenges being made using http-01, as I’d expect.

Thanks again, _az!

system · February 19, 2019, 1:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble renewing using HTTP-01 when last use TLS-SNI-01 Help	6	837	February 20, 2019
Am I OK with TLS-SNI-01? Help	3	586	April 4, 2019
[solved?] Clarification on ACME TLS-SNI-01 sunset Help	2	573	February 25, 2019
Certbot 0.29 tls-sni-01 Help	3	1241	February 22, 2019
TLS-SNI-01 email may have been sent to people who already upgraded Server	11	1146	February 28, 2019

Upgraded certbot renew --dry-run shows it still using tls-sni-01 unless overridden

Related topics