HTTPS Certificate: Action required: Upgrade Certbot for Let's Encrypt certificate renewal as ACME TLS-SNI-01
Summary
Received a Notice from Let's Encrypt. Needed to upgrade Certbot
Processes
CentOS 7: certbot 0.27.1
Ubuntu 18.04:
CentOS 7:
CentOS 7: certbot 0.29.1
How about CentOS 6
#@ref https://certbot.eff.org/lets-encrypt/centos6-apache.html
#
When do renewal, upgrade also if available. Because of
References
https://community.letsencrypt.org/t/certbot-upgrade-not-working/84224
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Update
Received a Notice from Let's Encrypt. Needed to upgrade Certbot
Action may be required to prevent your Let's Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
[...]
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
[...]
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
Processes
sudo certbot --version
Ubuntu 18.04: certbot 0.26.1CentOS 7: certbot 0.27.1
Ubuntu 18.04:
sudo apt install certbot python3-certbot python3-acme python3-certbot-apache
CentOS 7:
sudo yum update certbot python2-certbot-apache python2-certbot python2-acme
sudo certbot --version
Ubuntu 18.04: certbot 0.28.0CentOS 7: certbot 0.29.1
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
sudo certbot renew --dry-run
[...]
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
[...]
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
How about CentOS 6
#@ref https://certbot.eff.org/lets-encrypt/centos6-apache.html
#
When do renewal, upgrade also if available. Because of
/usr/local/bin/certbot/certbot-auto --version
References
https://community.letsencrypt.org/t/certbot-upgrade-not-working/84224
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Update
- 2019-Feb-12: Update: Ubuntu 18.04: sudo apt install: +python3-acme as received a notice. Identified that even python3-acme required for other packages not auto installed.