We have already discussed the possibility of using free certificates from Let's Encrypt to implement SSL security in our web server. The recommended client (Certbot) automates the entire process of acquiring and renewing certificates.
If we use Certbot for an extended amount of time, we can get the following error message when asking for a new certificate:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
This is because older versions use a method to validate the property of the domain in which security breaches have been detected. Let's Encrypt has disabled this type of validation, and even though renewing them is still possible, depending on the hosting we have hired for our domain, we can find it impossible to obtain a new certificate.
The solution is very simple, we need to update Certbot to version 0.21.0 which fixes this issue. Usually package management systems from our OS (ex. apt-gen for Ubuntu) handle this process, but it can be the case where the official repositories are not updated. If this happens we need to take care of the process ourselves.
Keep SSL security updated with Certbot-auto
Fortunately for us, Let's Encrypt has developed a specific script certbot-auto, which manages the whole process for us. The steps to follow are simple: download the script, assign it execution rights and launch it with root privileges.
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-auto
Certbot-auto has the same settings and functionalities as certbot, the difference being in it automatically installing the latest version available whenever necessary, which will solve our problem and will allow us to obtain and install new certificates. We can see the available settings using:
./certbot-auto --help all
If we have less than 512MB of RAM in our server, we will need to create a temporary swap file to compile the internal dependecies of certbot
sudo fallocate -l 1G /tmp/swapfile
sudo chmod 600 /tmp/swapfile
sudo mkswap /tmp/swapfile
sudo swapon /tmp/swapfile
Once the process is done we delete the temporary file.
sudo swapoff /tmp/swapfile
sudo rm /tmp/swapfile
With these single steps we can keep our certbot updated and the SSL Security of our server up to date.