[Letsencrypt-devel] Bug#888703: certbot: Fails to renew certificate - too old

John Pearson john at huiac.com
Sun Jan 28 21:10:50 UTC 2018 

Package: certbot
Version: 0.10.2-1
Severity: normal

Dear Maintainer,

Certbot in Debian stretch is at version 0.10; due to upstream changes,
it is no longer fit for purpose

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Attempted to verify certbot installation after moving cdrtificates to a
new server.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Ran 

  # certbot renew --dry-run

   * What was the outcome of this action?

Received the error message
  Client with the currently selected authenticator does not support any
  combination of challenges that will satisfy the CA.

   * What outcome did you expect instead?
Successful verification that certificate would have been renewed.



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages certbot depends on:
ii  init-system-helpers  1.48
ii  python               2.7.13-2
ii  python-certbot       0.10.2-1

certbot recommends no packages.

Versions of packages certbot suggests:
ii  python-certbot-apache  0.10.2-1
pn  python-certbot-doc     <none>

-- no debconf information

A quick googling suggest that the issue is LetsEncrypt has dropped
support for TLS-SNI-01, as described in (e.g.) 
 https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

The recommendation is to upgrade to certbot 0.20.  I note this version
is currently in sid; can it please be passed dpown to stretch, or
stretch-backports?

THank you,

John Pearson

More information about the Letsencrypt-devel mailing list