How do I renew my Let's Encrypt Cert with a newer validation method?
Linode
Linode Staff
Hello! We received the following email from Let's Encrypt. Can you provide more detail about what exactly needs to be done to perform the update on our server? Thank you.
--
Action is required to prevent your Let's Encrypt certificate renewals from breaking.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
1 Reply
The high level issue here is that you obtained a Let's Encrypt certification using a challenge method that will no longer be supported. They are reminding you that you will need to renew your cert before Feb. 13th when TLS-SNI-01 will reach its end of life. If you don't renew before then it's likely that your website will show up as insecure even though the cert is technically still valid.
To answer to this question completely would depend on several factors such as:
- Which distribution you are using
- Which web server you are using
- How you originally obtained your cert
- How you have set up your certs to be renewed
But to give a high level overview all you need to do is renew your cert as you normally would while ensuring that you are using a newer challenge method.
Here is an example of what that would look like with a common setup using Nginx and Ubuntu 16.04:
- First install cerbot and the certbot-nginx helper package
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
If you are running a different distribution or webserver please see the Certbot installation page for installation instructions.
- Now run the renew command with a few specific options:
sudo certbot renew --force-renewal --nginx --dry-run --preferred-challenges http
--force-renewal - will force your cert to be renewed even if it is not near its expiration data
--nginx - allows the helper package to update your nginx config with the new cert
--dry-run - allows you to test your renewal for any issues without actually saving any certificates
--preferred-challenges - ensures that you are not using an outdated challenge method as the original email mentioned
If this works with no errors, you will want to re-run the command without the --dry-run option.
Note: If you just want to solely renew your certificate and then manually update your webserver config, you can use the command
sudo certbot certonly --dry-run --preferred-challengesleaving out--nginxandrenew.
- Lastly, restart your Nginx for the changes to apply:
sudo service nginx restart
If you are using Apache rather than nginx, you should be able to use the same commands but replacing nginx with apache. The restart command will also need to be changed to sudo service apache2 restart.
If you are running into this issue with a different distribution or webserver post the details of your setup so we can give you more specific information.
AJ