Let's Encrypt: certbot version less than recommended by LE?

**rcrave** · Jan 28th 2019

Hi folks,

I recently received the following email from Let's Encrypt, about one of my servers not managed by i-MSCP:

Quote

Action required: Let's Encrypt certificate renewals

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals

from breaking.

If you already received a similar e-mail, this one contains updated

information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue

a certificate in the past 60 days. Below is a list of names and IP

addresses validated (max of one per account):

[...]

TLS-SNI-01 validation is reaching end-of-life. It will stop working

temporarily on February 13th, 2019, and permanently on March 13th, 2019.

Any certificates issued before then will continue to work for 90 days

after their issuance date.

You need to update your ACME client to use an alternative validation

method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your

certificate renewals will break and existing certificates will start to

expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like

to test whether your system will work after February 13, you can run

against staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here:

https://community.letsencrypt.…sni-01-with-certbot/83210

Our forum has many threads on this topic. Please search to see if your

question has been answered, then open a new thread if it has not:

https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life please see our API

announcement:

https://community.letsencrypt.…-validation-support/74209

Thank you,

Let's Encrypt Staff

Display More

The linked article about certbot very strongly suggests that the minimum certbot version should be at least 0.28.0, and the latest version of certbot is in fact 0.30.2.
However, the version installed by the Let's Encrypt plugin is 0.26.1.

I realize that i-MSCP already uses the http-01 challenge, so the tls-sni-01 deprecation does not affect my i-MSCP server in that way. But I wanted to ask if it would make sense to update certbot to the newest version manually, or if maybe a new version of the LE plugin that includes the latest certbot is on the horizon anyway.

Thanks in advance for your help.

winux · Feb 8th 2019

yap a friend of mine bought the plugin 2 weeks ago too and we installed it and got certs. one day later we got the same email as the rcrave.

pls update this plugin to use the latest certbot or we will not be able to get new certs starting from feb 13. 2019. 5 days to go...

thank you

**Nuxwin** · Feb 8th 2019

Quote from winux

yap a friend of mine bought the plugin 2 weeks ago too and we installed it and got certs. one day later we got the same email as the rcrave.

pls update this plugin to use the latest certbot or we will not be able to get new certs starting from feb 13. 2019. 5 days to go...

thank you

You should really refrain yourself when you start talking something that you don't understand... The message you did received doesn't say that your certificates won't be issued/renewed cause of the old version of Certbot that you're using. That message simply state that the TLS-SNI-01 validation method will stop working. The fact is that the plugin doesn't use (and never has used) that validation method. The plugin make use of the HTTP-01 validation method.

If you received that message, that is either because you issued SSL certificates manually, using the TLS-SNI-01 validation method, either because the message is a generic one sent to all people using a Certbot version supporting the TLS-SNI-01 validation method. Certbot will be updated in next plugin version anyway. In any case, this doesn't cause any problem.

Let's Encrypt: certbot version less than recommended by LE?

Nuxwin Feb 8th 2019

Share

Daily visitors