Your Let’s Encrypt client used ACME TLS-SNI-01


I am running a self-managed remote Debian Stretch server. I’m not a tech guy, so I’m sorry if I’m asking basic stuff. I got today an e-mail from Let’s Encrypt Staff saying:

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

I originally installed “certbot” using this command:

apt-get -y install python-certbot-apache

From what I understand by browsing these forums (by the way, your official topic “End-of-Life for All TLS-SNI-01 Validation Support” is UTTERLY USELESS…) from what I understand, there are 2 solutions:

  1. upgrading “certbot” to version 0.28.0+
  2. keeping current version of “certbot”, but adding the parameter --preferred-challenges http-01,dns-01

I tried both of those solutions, but none worked:

  1. there is no version 0.28.0+ of “python-certbot-apache” in the official Debian Stretch repositories:

    apt-cache policy python-certbot-apache
    Installed: 0.10.2-1
    Candidate: 0.10.2-1
    Version table:
    *** 0.10.2-1 500
    500 stretch/main amd64 Packages
    100 /var/lib/dpkg/status

  2. the parameter --preferred-challenges with my current version of “certbot” gives the following error:

    certbot renew --dry-run --preferred-challenges http-01,dns-01
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Cert not due for renewal, but simulating renewal for dry run
    Renewing an existing certificate
    Performing the following challenges:
    Attempting to renew cert from /etc/letsencrypt/renewal/[MY-DOMAIN-HERE].conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Can you help me please? My current Debian Stretch repositories are:

deb stretch main contrib non-free
deb-src stretch main contrib non-free

deb stretch/updates main contrib non-free
deb-src stretch/updates main contrib non-free

deb stretch-updates main contrib non-free
deb-src stretch-updates main contrib non-free

Can you paste the /etc/letsencrypt/renewal/ file?

Here is my renewal file. I obfuscated my domain name and my account number. I hope it’s all right with you:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/[MY-DOMAIN-HERE]
cert = /etc/letsencrypt/live/[MY-DOMAIN-HERE]/cert.pem
privkey = /etc/letsencrypt/live/[MY-DOMAIN-HERE]/privkey.pem
chain = /etc/letsencrypt/live/[MY-DOMAIN-HERE]/chain.pem
fullchain = /etc/letsencrypt/live/[MY-DOMAIN-HERE]/fullchain.pem

# Options used in the renewal process
authenticator = apache
installer = apache
account = [MY-ACCOUNT-HERE]

On an old version of Certbot, you can follow these instructions to switch to a different plugin for authentication.

(Replace references to Nginx with Apache.)

Wait, you’re on Debian Stretch.

You can get Certbot 0.28.0 from stretch-backports.

Thank you, merci beaucoup! The stretch-backports repository allowed me to upgrade “python-certbot-apache” to version 0.28.0. Here are the precise steps I used, in case there are other people like me running Debian Stretch:

  1. Edit /etc/apt/sources.list and append line:

deb stretch-backports main

  1. Run:

apt-get -y update

  1. All backports are deactivated by default, so you need to install them manually. For example, to install “python-certbot-apache”:

apt-get -y -t stretch-backports install "python-certbot-apache"

You might get errors messages during the execution of the last command, but you can ignore them. Renewing works:

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/[MY-DOMAIN-HERE]/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.