Forums

Resolved
0 votes
let's encrypt says that:

Hello,

**Action is required to prevent your Let's Encrypt certificate renewals from breaking.**

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:

https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
Let's Encrypt Staff

its there an upgrade in repos?
Friday, January 18 2019, 01:00 PM
Share this post:
Responses (21)
  • Accepted Answer

    Wednesday, March 20 2019, 08:27 AM - #Permalink
    Resolved
    0 votes
    @Tony, ...... so now when you request a new certificate you'll get an Oooops, but not when you renew. See this thread.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 20 2019, 12:16 AM - #Permalink
    Resolved
    0 votes
    Just to confirm that automatic updates with certbot-0.31.0-2.el7.noarch work OK here
    yum log

    [root@alice log]# grep certbot yum* | sort
    yum.log-20190101:Feb 24 13:05:40 Installed: python2-certbot-0.21.1-1.el7.noarch
    yum.log-20190101:Feb 24 13:05:49 Installed: certbot-0.21.1-1.el7.noarch
    yum.log-20190101:Oct 18 07:42:58 Updated: python2-certbot-0.27.1-1.el7.noarch
    yum.log-20190101:Oct 18 07:43:08 Updated: certbot-0.27.1-1.el7.noarch
    yum.log:Mar 06 08:21:51 Updated: python2-certbot-0.31.0-2.el7.noarch
    yum.log:Mar 06 08:22:00 Updated: certbot-0.31.0-2.el7.noarch

    Successful update early this morning, 30 days before expiry...

    -rw-r--r-- 1 root root 32054 Mar 20 04:21 letsencrypt.log
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 15 2019, 08:25 AM - #Permalink
    Resolved
    0 votes
    Did you create then delete a certificate 71 days ago? If so, it is probably referring to that one, even if you then re-created it with the same domain.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Friday, March 15 2019, 02:03 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    A renewal check takes place every night. Have a look in /var/log/letsencrypt/. Actual renewals are attempted nightly from 30 days to expiry. If you have set up any test/dummy certificates then deleted them, I believe you will still get renewal e-mails from Let's Encrypt and you have to ignore them. You can see the expiry dates of any current manager in the Webconfig let's Encrypt landing page.


    Hmmm.

    The log says no renewal necessary.

    2019-03-14 04:15:09,863:DEBUG:certbot.main:certbot version: 0.31.0
    2019-03-14 04:15:09,863:DEBUG:certbot.main:Arguments: ['--standalone', '--preferred-challenges', 'http-01']
    2019-03-14 04:15:09,863:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-03-14 04:15:12,621:DEBUG:certbot.log:Root logging level set at 20
    2019-03-14 04:15:12,621:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-03-14 04:15:12,667:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer <certbot.cli._Default object at 0x7f30652e1310>
    2019-03-14 04:15:12,667:DEBUG:certbot.cli:Var pref_challs=http-01 (set by user).
    2019-03-14 04:15:12,668:DEBUG:certbot.cli:Var authenticator=standalone (set by user).
    2019-03-14 04:15:12,679:INFO:certbot.renewal:Cert not yet due for renewal
    2019-03-14 04:15:12,679:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
    2019-03-14 04:15:12,683:DEBUG:certbot.cli:Var pref_challs=http-01 (set by user).
    2019-03-14 04:15:12,683:DEBUG:certbot.cli:Var authenticator=standalone (set by user).
    2019-03-14 04:15:12,702:INFO:certbot.renewal:Cert not yet due for renewal
    2019-03-14 04:15:12,703:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
    2019-03-14 04:15:12,703:DEBUG:certbot.renewal:no renewal failures


    Strange that I got an email for a renewal but the log says no renewal necessary. I went back 3 days (covers off when the renewl email came in) but no notice of actual renewal happening. <confused>
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 14 2019, 08:20 AM - #Permalink
    Resolved
    0 votes
    A renewal check takes place every night. Have a look in /var/log/letsencrypt/. Actual renewals are attempted nightly from 30 days to expiry. If you have set up any test/dummy certificates then deleted them, I believe you will still get renewal e-mails from Let's Encrypt and you have to ignore them. You can see the expiry dates of any current manager in the Webconfig let's Encrypt landing page.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, March 14 2019, 12:47 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    It looks like the community version went to certbot 0.31 in the last few days anyway. I don't know when the Business version will follow.


    I noticed that too.

    BTW, today I got the reminder from Let's Encrypt.

    Your certificate (or certificates) for the names listed below will expire in 19 days (on 02 Apr 19 16:00 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

    We recommend renewing certificates automatically when they have a third of their
    total lifetime left. For Let's Encrypt's current 90-day certificates, that means
    renewing 30 days before expiration. See
    https://letsencrypt.org/docs/integration-guide/ for details.


    Do you have an idea when the renewal is to take place? I can't find an option in the GUI and haven't looked at the config files yet. But now it's on my list of things to check.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 08 2019, 08:04 AM - #Permalink
    Resolved
    0 votes
    It looks like the community version went to certbot 0.31 in the last few days anyway. I don't know when the Business version will follow.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Friday, March 08 2019, 01:04 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    @Nuke,
    One of my certificates renewed successfully last night. Have yours renewed OK yet?


    Hi Nick,

    sorry for the long delay in answering. I did a full reinstall and created new certificates and they haven't gotten around to renew so far. I think it will be OK. I'll let you know when it updates.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 16 2019, 12:42 PM - #Permalink
    Resolved
    0 votes
    @Nuke,
    One of my certificates renewed successfully last night. Have yours renewed OK yet?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 03 2019, 10:20 PM - #Permalink
    Resolved
    0 votes
    There isn't a service. It runs under cron (/etc/cron.d/app-lets-encrypt).
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, February 03 2019, 09:54 PM - #Permalink
    Resolved
    0 votes
    Hi Nick.

    I added the HTTP-01 line.

    Since I'm now using the Let's Encrypt application, how do you restart it to take into account the new config file?

    I can't find a service that is enabled for Let's Encrypt ... but that could be due to a PEBCAK. :-)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2019, 08:21 AM - #Permalink
    Resolved
    0 votes
    nuke wrote:
    <snip>
    and ran
    sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"


    I believe this completely removed the line "pref_challs" from the conf file.

    That line does not delete the line, it just changes the value from "tls-sni-01" to "http-01".
    If the line is missing for you, was yours a legacy set up from before the Let's Encrypt app days?

    Looking at the certbot changelog, 0.28 does not add anything particularly relevant but changes to "Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins". In our configs we seem to already prefer http-01 so it may not be an issue.

    Please can you just add the missing line in your config, keep the current certbot-0.27 and see if the warning stops?

    I have alerted the devs and they are keeping an eye on this thread.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2019, 02:02 AM - #Permalink
    Resolved
    0 votes
    Nuke - my two v. 7.5 systems with lets-encrypt have the same "pref_challs" line in the .conf file as Nick posted. Did your try adding it to yours?
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, January 31 2019, 01:25 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    This is weird as my logs "seem" to0.29 indicate that although tls-sni-01 is allowed, http-01 is being used. Do you even have a pref_challs line in your conf file?


    Nick,
    When I got the email I followed the instructions on link How to stop using tls-sni-01

    and ran
    sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"


    I believe this completely removed the line "pref_challs" from the conf file. That is likely why I don't have one anymore.

    In any case, I still got the warning after doing these changes and the notice that Feb 13 all code prior to 0.28 is end of life and won't work. :(

    I guess I'll try 0.29 in a week if there is no update forthcoming through the regular channels. I don't want it to crap out while I'm on the road.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 29 2019, 08:19 AM - #Permalink
    Resolved
    0 votes
    This is weird as my logs "seem" to0.29 indicate that although tls-sni-01 is allowed, http-01 is being used. Do you even have a pref_challs line in your conf file? One of my files looks like:
    # renew_before_expiry = 30 days
    version = 0.27.1
    archive_dir = /etc/letsencrypt/archive/test1.howitts.co.uk
    cert = /etc/letsencrypt/live/test1.mydomain.co.uk/cert.pem
    privkey = /etc/letsencrypt/live/test1.mydomain.co.uk/privkey.pem
    chain = /etc/letsencrypt/live/test1.mydomain.co.uk/chain.pem
    fullchain = /etc/letsencrypt/live/test1.mydomain.co.uk/fullchain.pem

    # Options used in the renewal process
    [renewalparams]
    authenticator = standalone
    account = *munged*
    renew_hook = /sbin/trigger lets_encrypt
    pref_challs = http-01,
    server = https://acme-v02.api.letsencrypt.org/directory


    Anyway, if you want to try certbot-0.29, you can do a:
    yum update certbot --enablerepo=epel-unverified
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Tuesday, January 29 2019, 02:36 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Hi Nuke,
    Can I ask where you are seeing the message?


    Hi Nick,

    I am receiving an email sent to the email used when I set up the account. It is very similar in content to what @Alonso wrote above.

    Here it is in it's entirety.

    Hello,

    Action may be required to prevent your Let's Encrypt certificate renewals
    from breaking.

    If you already received a similar e-mail, this one contains updated
    information.

    Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
    a certificate in the past 60 days. Below is a list of names and IP
    addresses validated (max of one per account):

    mydomain.tld (IP Address) on 2019-01-02
    mydomain.tld (IP Address) on 2019-01-02

    TLS-SNI-01 validation is reaching end-of-life. It will stop working
    temporarily on February 13th, 2019, and permanently on March 13th, 2019.
    Any certificates issued before then will continue to work for 90 days
    after their issuance date.

    You need to update your ACME client to use an alternative validation
    method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
    certificate renewals will break and existing certificates will start to
    expire.

    Our staging environment already has TLS-SNI-01 disabled, so if you'd like
    to test whether your system will work after February 13, you can run
    against staging: https://letsencrypt.org/docs/staging-environment/

    If you're a Certbot user, you can find more information here:
    https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

    Our forum has many threads on this topic. Please search to see if your
    question has been answered, then open a new thread if it has not:
    https://community.letsencrypt.org/

    For more information about the TLS-SNI-01 end-of-life please see our API
    announcement:
    https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

    Thank you,
    Let's Encrypt Staff


    If you follow the link, you will see that everything prior to version 0.27 has an issue.

    Have you checked your conf files in /etc/letsencrypt/renewal to make sure they do not have:
    pref_challs = tls-sni-01,
    If you do have "tls-sni-01", you can run the scriptled from the post you linked to or just manually change the lines to:
    pref_challs = http-01,
    I'd appreciate it if you could post back and I will escalate to the devs accordingly. It could be that certbot-0.27 is fine and just a change to the .conf files is needed. That could be done through app-lets-encrypt.


    Neither site has
    pref_challs = tls-sni-01
    . I have run the script from the let's encrypt site to remove all those in the past days. But I received the notice above again overnight.

    Nuke.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 28 2019, 08:35 AM - #Permalink
    Resolved
    0 votes
    Hi Nuke,
    Can I ask where you are seeing the message? My certificate last renewed on3rd Jan and it renewed OK and the renewal log looks clean using certbot-0.27

    Have you checked your conf files in /etc/letsencrypt/renewal to make sure they do not have:
    pref_challs = tls-sni-01,
    If you do have "tls-sni-01", you can run the scriptled from the post you linked to or just manually change the lines to:
    pref_challs = http-01,
    I'd appreciate it if you could post back and I will escalate to the devs accordingly. It could be that certbot-0.27 is fine and just a change to the .conf files is needed. That could be done through app-lets-encrypt.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, January 27 2019, 10:58 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I finally got around to migrating to the COS7 version of certbot & let's encrypt. Your help was appreciated very much! The transition was easy!

    I finally was force to do the migration because I got the same message as @Alonso.

    It appears from the forum that this is an issue with certbot < 0.28.

    So I think the version of certbot in COS7 needs an update. Let's Encrypt Update Notice

    You mention that we are a few versions back. Is there a chance this can be updated by the Feb 13 expiry?

    Thanks again for all your help!
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 18 2019, 06:07 PM - #Permalink
    Resolved
    0 votes
    OK, so if you follow one of the links you gave and go to their forum there are plenty of posts saying what to search for in your configuration files which may be causing it. Have you tried that?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 18 2019, 03:12 PM - #Permalink
    Resolved
    0 votes
    certbot-0.27.1-1.el7.noarch
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 18 2019, 01:37 PM - #Permalink
    Resolved
    0 votes
    Hello Alonso,
    If your report is correct, it looks worrying, but I'm not sure about it. If I look at a renewal log (one of the larger ones) in /var/log/letsencrypt, I see:
    2019-01-03 04:15:16,076:DEBUG:certbot.main:certbot version: 0.27.1
    2019-01-03 04:15:16,076:DEBUG:certbot.main:Arguments: ['--standalone', '--max-log-backups', '200', '--preferred-challenges', 'http-01', '--renew-hook', '/sbin/trigger lets_encrypt']
    2019-01-03 04:15:16,076:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-01-03 04:15:16,088:DEBUG:certbot.log:Root logging level set at 20
    2019-01-03 04:15:16,088:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-01-03 04:15:16,097:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer <certbot.cli._Default object at 0x7f822644bdd0>
    2019-01-03 04:15:16,097:DEBUG:certbot.cli:Var pref_challs=http-01 (set by user).
    2019-01-03 04:15:16,097:DEBUG:certbot.cli:Var authenticator=standalone (set by user).
    2019-01-03 04:15:16,097:DEBUG:certbot.cli:Var renew_hook=/sbin/trigger lets_encrypt (set by user).
    2019-01-03 04:15:16,105:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-02-02 03:15:20 UTC.
    2019-01-03 04:15:16,105:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
    2019-01-03 04:15:16,105:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
    2019-01-03 04:15:16,128:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
    Description: Spin up a temporary webserver
    Interfaces: IAuthenticator, IPlugin
    Entry point: standalone = certbot.plugins.standalone:Authenticator
    Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f8226444510>
    Prep: True
    2019-01-03 04:15:16,129:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f8226444510> and installer None
    2019-01-03 04:15:16,129:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
    2019-01-03 04:15:16,143:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', only_return_existing=None, contact=(u'mailto:admin@howitts.co.uk',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f822920c1d0>;)>;)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/6460667', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), cf439490dcaac9f9eb732d3f461a47bd, Meta(creation_host=u'server.howitts.co.uk', creation_dt=datetime.datetime(2016, 11, 22, 18, 7, 44, tzinfo=<UTC>;)))>
    2019-01-03 04:15:16,148:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2019-01-03 04:15:16,153:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    2019-01-03 04:15:16,398:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
    2019-01-03 04:15:16,399:DEBUG:acme.client:Received response:
    <snip>
    Isn't this using HTTP-01. See lines 2 and 7 of the log.

    What version of certbot are you running("rpm -q certbot")? The current ClearOS version is certbot-0.27.1-1.el7.noarch which is a couple of point releases behind the EPEL version.
    The reply is currently minimized Show
Your Reply