"[链接] 晚上吃饭的时候收到封邮件内容如下: Hello, Action may be required to prevent your Let's Encrypt certificate renewals from breaking. If you already received a similar e-mail, .."

关于 cerbot 停止使用 TLS-SNI-01

沐风博客

晚上吃饭的时候收到封邮件内容如下:

Hello,  
  
Action may be required to prevent your Let's Encrypt certificate renewals from  
breaking.  
  
If you already received a similar e-mail, this one contains updated information.  
  
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a  
certificate in the past 7 days. Below is a list of names and IP addresses  
validated (max of one per account):  
  
[www.xxx.edu.cn](http://www.xxx.edu.cn/)(114.xx.xxx.xx) on 2019-02-11  
  
TLS-SNI-01 validation is reaching end-of-life. It will stop working  
temporarily on February 13th, 2019, and permanently on March 13th,  
2019. Any certificates issued before then will continue to work for 90  
days after their issuance date.  
  
You need to update your ACME client to use an alternative validation method  
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals  
will break and existing certificates will start to expire.  
  
Our staging environment already has TLS-SNI-01 disabled, so if you'd like to  
test whether your system will work after February 13, you can run against  
staging:[https://letsencrypt.org/docs/staging-environment/](https://letsencrypt.org/docs/staging-environment/)

心想坏了,自动更新 https 出问题了

于是根据提示找到官网的这篇文章 https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210 根据提示一顿操作,发现 cerbot 版本低于 0.28

  1. certbot --version || /path/to/certbot-auto --version
  2. 在续订配置中删除对 tls-sni-01 的任何显式引用:
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak" 
  1. 完全更新干运行:

    sudo certbot renew --dry-run

如果干运行成功,并且您的 Certbot 版本是 0.28 或更高,那么你很高兴!不需要采取进一步行动来处理 TLS-SNI-01 支持的结束。如果失败,请修复您看到的验证问题,然后重试。 升级 cerbot sudo yum install python2-certbot-nginx

搞定了 ,还是有点虚 过段时间再看看,被那帮老外说的有点玄乎

最后友情提示 更新的时候不要加–dry-run

 certbot renew --pre-hook "/bin/systemctl  stop nginx" --post-hook "/bin/systemctl  start nginx" --dry-run

之前更新不成功也没有注意到 晕死了

感谢    关注    收藏    赞同    反对    举报    分享
回帖    
请输入回帖内容...