let's encrypt says that:
Hello,
**Action is required to prevent your Let's Encrypt certificate renewals from breaking.**
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:
https://community.letsencrypt.org/c/help
Please answer all of the questions in the topic template so we can help you.
For more information about the TLS-SNI-01 end-of-life please see our API announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
its there an upgrade in repos?
Hello,
**Action is required to prevent your Let's Encrypt certificate renewals from breaking.**
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:
https://community.letsencrypt.org/c/help
Please answer all of the questions in the topic template so we can help you.
For more information about the TLS-SNI-01 end-of-life please see our API announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
its there an upgrade in repos?
Share this post:
Responses (21)
-
Accepted Answer
Hello Alonso,
If your report is correct, it looks worrying, but I'm not sure about it. If I look at a renewal log (one of the larger ones) in /var/log/letsencrypt, I see:
Isn't this using HTTP-01. See lines 2 and 7 of the log.2019-01-03 04:15:16,076EBUG:certbot.main:certbot version: 0.27.1
2019-01-03 04:15:16,076EBUG:certbot.main:Arguments: ['--standalone', '--max-log-backups', '200', '--preferred-challenges', 'http-01', '--renew-hook', '/sbin/trigger lets_encrypt']
2019-01-03 04:15:16,076EBUG:certbot.mainiscovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-03 04:15:16,088EBUG:certbot.log:Root logging level set at 20
2019-01-03 04:15:16,088:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-03 04:15:16,097EBUG:certbot.plugins.selection:Requested authenticator standalone and installer <certbot.cli._Default object at 0x7f822644bdd0>
2019-01-03 04:15:16,097EBUG:certbot.cli:Var pref_challs=http-01 (set by user).
2019-01-03 04:15:16,097EBUG:certbot.cli:Var authenticator=standalone (set by user).
2019-01-03 04:15:16,097EBUG:certbot.cli:Var renew_hook=/sbin/trigger lets_encrypt (set by user).
2019-01-03 04:15:16,105EBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-02-02 03:15:20 UTC.
2019-01-03 04:15:16,105:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-01-03 04:15:16,105EBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-01-03 04:15:16,128EBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f8226444510>
Prep: True
2019-01-03 04:15:16,129EBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f8226444510> and installer None
2019-01-03 04:15:16,129:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-01-03 04:15:16,143EBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', only_return_existing=None, contact=(u'mailto:[email protected]',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f822920c1d0>>), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/6460667', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), cf439490dcaac9f9eb732d3f461a47bd, Meta(creation_host=u'server.howitts.co.uk', creation_dt=datetime.datetime(2016, 11, 22, 18, 7, 44, tzinfo=<UTC>))>
2019-01-03 04:15:16,148EBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-01-03 04:15:16,153:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-01-03 04:15:16,398EBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2019-01-03 04:15:16,399EBUG:acme.client:Received response:
<snip>
What version of certbot are you running("rpm -q certbot")? The current ClearOS version is certbot-0.27.1-1.el7.noarch which is a couple of point releases behind the EPEL version. -
Accepted Answer
-
Accepted Answer
Hi Nick,
I finally got around to migrating to the COS7 version of certbot & let's encrypt. Your help was appreciated very much! The transition was easy!
I finally was force to do the migration because I got the same message as @Alonso.
It appears from the forum that this is an issue with certbot < 0.28.
So I think the version of certbot in COS7 needs an update. Let's Encrypt Update Notice
You mention that we are a few versions back. Is there a chance this can be updated by the Feb 13 expiry?
Thanks again for all your help! -
Accepted Answer
Hi Nuke,
Can I ask where you are seeing the message? My certificate last renewed on3rd Jan and it renewed OK and the renewal log looks clean using certbot-0.27
Have you checked your conf files in /etc/letsencrypt/renewal to make sure they do not have:
If you do have "tls-sni-01", you can run the scriptled from the post you linked to or just manually change the lines to:pref_challs = tls-sni-01,
I'd appreciate it if you could post back and I will escalate to the devs accordingly. It could be that certbot-0.27 is fine and just a change to the .conf files is needed. That could be done through app-lets-encrypt.pref_challs = http-01,
-
Accepted Answer
Nick Howitt wrote:
Hi Nuke,
Can I ask where you are seeing the message?
Hi Nick,
I am receiving an email sent to the email used when I set up the account. It is very similar in content to what @Alonso wrote above.
Here it is in it's entirety.
Hello,
Action may be required to prevent your Let's Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
mydomain.tld (IP Address) on 2019-01-02
mydomain.tld (IP Address) on 2019-01-02
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
If you follow the link, you will see that everything prior to version 0.27 has an issue.
Have you checked your conf files in /etc/letsencrypt/renewal to make sure they do not have:
If you do have "tls-sni-01", you can run the scriptled from the post you linked to or just manually change the lines to:pref_challs = tls-sni-01,
I'd appreciate it if you could post back and I will escalate to the devs accordingly. It could be that certbot-0.27 is fine and just a change to the .conf files is needed. That could be done through app-lets-encrypt.pref_challs = http-01,
Neither site has
. I have run the script from the let's encrypt site to remove all those in the past days. But I received the notice above again overnight.pref_challs = tls-sni-01
Nuke. -
Accepted Answer
This is weird as my logs "seem" to0.29 indicate that although tls-sni-01 is allowed, http-01 is being used. Do you even have a pref_challs line in your conf file? One of my files looks like:
# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/test1.howitts.co.uk
cert = /etc/letsencrypt/live/test1.mydomain.co.uk/cert.pem
privkey = /etc/letsencrypt/live/test1.mydomain.co.uk/privkey.pem
chain = /etc/letsencrypt/live/test1.mydomain.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/test1.mydomain.co.uk/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = *munged*
renew_hook = /sbin/trigger lets_encrypt
pref_challs = http-01,
server = https://acme-v02.api.letsencrypt.org/directory
Anyway, if you want to try certbot-0.29, you can do a:yum update certbot --enablerepo=epel-unverified
-
Accepted Answer
Nick Howitt wrote:
This is weird as my logs "seem" to0.29 indicate that although tls-sni-01 is allowed, http-01 is being used. Do you even have a pref_challs line in your conf file?
Nick,
When I got the email I followed the instructions on link How to stop using tls-sni-01
and ransudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
I believe this completely removed the line "pref_challs" from the conf file. That is likely why I don't have one anymore.
In any case, I still got the warning after doing these changes and the notice that Feb 13 all code prior to 0.28 is end of life and won't work.
I guess I'll try 0.29 in a week if there is no update forthcoming through the regular channels. I don't want it to crap out while I'm on the road. -
Accepted Answer
-
Accepted Answer
nuke wrote:
<snip>
and ransudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
I believe this completely removed the line "pref_challs" from the conf file.
That line does not delete the line, it just changes the value from "tls-sni-01" to "http-01".
If the line is missing for you, was yours a legacy set up from before the Let's Encrypt app days?
Looking at the certbot changelog, 0.28 does not add anything particularly relevant but changes to "Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins". In our configs we seem to already prefer http-01 so it may not be an issue.
Please can you just add the missing line in your config, keep the current certbot-0.27 and see if the warning stops?
I have alerted the devs and they are keeping an eye on this thread. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
@Nuke,
One of my certificates renewed successfully last night. Have yours renewed OK yet?
Hi Nick,
sorry for the long delay in answering. I did a full reinstall and created new certificates and they haven't gotten around to renew so far. I think it will be OK. I'll let you know when it updates. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
It looks like the community version went to certbot 0.31 in the last few days anyway. I don't know when the Business version will follow.
I noticed that too.
BTW, today I got the reminder from Let's Encrypt.
Your certificate (or certificates) for the names listed below will expire in 19 days (on 02 Apr 19 16:00 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
Do you have an idea when the renewal is to take place? I can't find an option in the GUI and haven't looked at the config files yet. But now it's on my list of things to check. -
Accepted Answer
A renewal check takes place every night. Have a look in /var/log/letsencrypt/. Actual renewals are attempted nightly from 30 days to expiry. If you have set up any test/dummy certificates then deleted them, I believe you will still get renewal e-mails from Let's Encrypt and you have to ignore them. You can see the expiry dates of any current manager in the Webconfig let's Encrypt landing page. -
Accepted Answer
Nick Howitt wrote:
A renewal check takes place every night. Have a look in /var/log/letsencrypt/. Actual renewals are attempted nightly from 30 days to expiry. If you have set up any test/dummy certificates then deleted them, I believe you will still get renewal e-mails from Let's Encrypt and you have to ignore them. You can see the expiry dates of any current manager in the Webconfig let's Encrypt landing page.
Hmmm.
The log says no renewal necessary.
2019-03-14 04:15:09,863EBUG:certbot.main:certbot version: 0.31.0
2019-03-14 04:15:09,863EBUG:certbot.main:Arguments: ['--standalone', '--preferred-challenges', 'http-01']
2019-03-14 04:15:09,863EBUG:certbot.mainiscovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-14 04:15:12,621EBUG:certbot.log:Root logging level set at 20
2019-03-14 04:15:12,621:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-14 04:15:12,667EBUG:certbot.plugins.selection:Requested authenticator standalone and installer <certbot.cli._Default object at 0x7f30652e1310>
2019-03-14 04:15:12,667EBUG:certbot.cli:Var pref_challs=http-01 (set by user).
2019-03-14 04:15:12,668EBUG:certbot.cli:Var authenticator=standalone (set by user).
2019-03-14 04:15:12,679:INFO:certbot.renewal:Cert not yet due for renewal
2019-03-14 04:15:12,679EBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-03-14 04:15:12,683EBUG:certbot.cli:Var pref_challs=http-01 (set by user).
2019-03-14 04:15:12,683EBUG:certbot.cli:Var authenticator=standalone (set by user).
2019-03-14 04:15:12,702:INFO:certbot.renewal:Cert not yet due for renewal
2019-03-14 04:15:12,703EBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-03-14 04:15:12,703EBUG:certbot.renewal:no renewal failures
Strange that I got an email for a renewal but the log says no renewal necessary. I went back 3 days (covers off when the renewl email came in) but no notice of actual renewal happening. <confused> -
Accepted Answer
-
Accepted Answer
Just to confirm that automatic updates with certbot-0.31.0-2.el7.noarch work OK here
yum log
[root@alice log]# grep certbot yum* | sort
yum.log-20190101:Feb 24 13:05:40 Installed: python2-certbot-0.21.1-1.el7.noarch
yum.log-20190101:Feb 24 13:05:49 Installed: certbot-0.21.1-1.el7.noarch
yum.log-20190101:Oct 18 07:42:58 Updated: python2-certbot-0.27.1-1.el7.noarch
yum.log-20190101:Oct 18 07:43:08 Updated: certbot-0.27.1-1.el7.noarch
yum.log:Mar 06 08:21:51 Updated: python2-certbot-0.31.0-2.el7.noarch
yum.log:Mar 06 08:22:00 Updated: certbot-0.31.0-2.el7.noarch
Successful update early this morning, 30 days before expiry...
-rw-r--r-- 1 root root 32054 Mar 20 04:21 letsencrypt.log
-
Accepted Answer
@Tony, ...... so now when you request a new certificate you'll get an Oooops, but not when you renew. See this thread.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »