DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Related

Installing PHP-FPM with Apache2 on Ubuntu 12.10
Question
Ubuntu mail server using ISPConfig 3 setup errors
Question

Question

Let's Encrypt ACME TLS-SNI-01 end of life

I received this email today and wanted to know what I should do, server wise.

Hello,

Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you, Let’s Encrypt Staff

Subscribe
Share
mgnyiJanuary 31, 2019

sed: couldn’t edit /etc/letsencrypt/renewal/systemctl start nginx: not a regular file

i got above error message when i run this

sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

how should i fix it?

Sam1012January 27, 2019

This comment has been deleted

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Amin AkbariJanuary 18, 2019
Accepted Answer

I believe you do not have to do anything if you are using “python-certbot-apache” package to automatically renew the certificates. Do the following in order to see if it uses “tls-sni-01” or “http-01” to renew your certificates. If it uses “http-01” you are all fine.

$ sudo certbot renew --dry-run

If the dry run is successful, you do not have to do anything. If not, just update your packages and it would probably use “http-01” to update your certificates automatically.

$ sudo apt-get update

$ sudo apt-get upgrade

After executing the above, run the dry run again to see if it works correctly.

marek01March 13, 2019

I had the same issue, updating and messing up with config file did not work for me. All I needed to do is update my certbot as outlined in https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache I just run the following commands:

$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository universe $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot python-certbot-apache

and skipped the Installing DNS plugins part as I was afraid it would mess up my configuration.

After that, I removed any explicit references to tls-sni-01 in my renewal configuration using:

sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

as explained here:

https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Run sudo certbot renew --dry-run

and it worked like charm.

It took me a couple of hours of searching for the right solution and once I found it 5 min to fix it Hope that it’ll save someone some time. Cheers!

Ajay ThakurJanuary 31, 2019

I got an error that is Attempting to renew cert (www.mysite.com) from /etc/letsencrypt/renewal/www.mysite.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.mysite.com/fullchain.pem (failure). what should I do?

ZAuthorJanuary 27, 2019

I am good right?

[~# sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mydomainname.com.conf

Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for mydomainname.com http-01 challenge for www.mydomainname.com Waiting for verification… Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/mydomainname.com/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mydomainname.com/fullchain.pem (success) ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates above have not been saved.)

]

QararJanuary 23, 2019

When i renew i am getting this message

DRY RUN: simulating ‘certbot renew’ close to cert expiry what is it mean?

Join the DigitalOcean CommunityCommunity

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner

Related

Installing PHP-FPM with Apache2 on Ubuntu 12.10
Question
Ubuntu mail server using ISPConfig 3 setup errors
Question
Join the DigitalOcean CommunityCommunity

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner