Package: certbot
Version: 0.10.2-1
Severity: normal
Dear Maintainer,
Certbot in Debian stretch is at version 0.10; due to upstream changes,
it is no longer fit for purpose
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Attempted to verify certbot installation after moving cdrtificates to a
new server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Ran
# certbot renew --dry-run
* What was the outcome of this action?
Received the error message
Client with the currently selected authenticator does not support any
combination of challenges that will satisfy the CA.
* What outcome did you expect instead?
Successful verification that certificate would have been renewed.
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages certbot depends on:
ii init-system-helpers 1.48
ii python 2.7.13-2
ii python-certbot 0.10.2-1
certbot recommends no packages.
Versions of packages certbot suggests:
ii python-certbot-apache 0.10.2-1
pn python-certbot-doc <none>
-- no debconf information
A quick googling suggest that the issue is LetsEncrypt has dropped
support for TLS-SNI-01, as described in (e.g.)
https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983
The recommendation is to upgrade to certbot 0.20. I note this version
is currently in sid; can it please be passed dpown to stretch, or
stretch-backports?
THank you,
John Pearson
