邮件内容
Hello,
Action may be required to prevent your Let's Encrypt certificate renewals from
breaking.
If you already received a similar e-mail, this one contains updated information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 7 days. Below is a list of names and IP addresses
validated (max of one per account):
mysite.com (192.168.200.100) on 2019-03-06
TLS-SNI-01 validation is reaching end-of-life. It will stop working
permanently on March 13th, 2019. Any certificates issued before then will
continue to work for 90 days after their issuance date.
You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
test whether your system will work after March 13, you can run against
staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life, please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
如何解决这个问题呢?根据邮件内容给出的链接可以看出网站使用的certbot需要升级到0.28 或更高的版本。
升级步骤
首先查看当前安装的certbot版本
$ certbot --version
certbot 0.27.0
可以看出我的版本是低于要求的最低版本,所以需要升级。因为我的系统是Centos7,以前使用的是yum方式安装(yum install epel-release&& yum install certbot),所以我使用yum方式做全局升级,这种方式也包括certbot升级
$ sudo yum update
升级完过后再次查看certbot版本
$ certbot --version
certbot 0.31.0
好了,certbot升级到了0.31.0,高于要求的最低版本。接下来就在续订配置中删除对tls-sni-01的任何显式引用,命令如下:
$ sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
最后使用下面命令进行证书全面更新
$ sudo certbot renew --dry-run
输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mysite.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mysite.com
http-01 challenge for www.mysite.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mysite.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mysite.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -