Acme.sh no longer compatible with Lets Encrypt

gariac · August 31, 2021, 12:02am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lazygranch.com and inplanesight.org

I ran this command: ./acme.sh --debug --renew -d lazygranch.com

It produced this output: [Mon Aug 30 23:48:31 UTC 2021] GET
[Mon Aug 30 23:48:31 UTC 2021] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Aug 30 23:48:31 UTC 2021] timeout=
[Mon Aug 30 23:48:31 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Mon Aug 30 23:48:31 UTC 2021] ret='0'
[Mon Aug 30 23:48:31 UTC 2021] Could not get nonce, let's try again.

I have already debugged this. The problem is related to:
{
"type": "urn:acme:error:serverInternal",
"detail": "ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information."
}

My web server is (include version):
nginx -v
nginx version: nginx/1.20.1
The operating system my web server runs on is (include version):
Centos 7
Linux lazygranch.com 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ./acme.sh -v

I found the post with the test command:
./acme.sh --server https://acme-staging-v02.api.letsencrypt.org/directory --issue -d test.acme.sh --standalone --debug

Before my comments get lost in the long debug output, should I use the -b option when upgrading acme.sh, perhaps taking me to version 3?

FWIW I didn't get an email regarding changes in Lets Encrypt so I there some place to sign up?

Here is the debug output:

My rather long debug output follow:

sh-4.2# ./acme.sh  --server https://acme-staging-v02.api.letsencrypt.org/directory  --issue -d test.acme.sh --standalone --debug
[Mon Aug 30 23:34:40 UTC 2021] Lets find script dir.
[Mon Aug 30 23:34:40 UTC 2021] _SCRIPT_='./acme.sh'
[Mon Aug 30 23:34:40 UTC 2021] _script='/usr/local/src/acme.sh/acme.sh'
[Mon Aug 30 23:34:40 UTC 2021] _script_home='/usr/local/src/acme.sh'
[Mon Aug 30 23:34:40 UTC 2021] Using default home:/root/.acme.sh
[Mon Aug 30 23:34:40 UTC 2021] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.8.0
[Mon Aug 30 23:34:40 UTC 2021] Using server: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Aug 30 23:34:40 UTC 2021] _main_domain='test.acme.sh'
[Mon Aug 30 23:34:40 UTC 2021] _alt_domains='no'
[Mon Aug 30 23:34:40 UTC 2021] Using config home:/root/.acme.sh
[Mon Aug 30 23:34:40 UTC 2021] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Aug 30 23:34:40 UTC 2021] DOMAIN_PATH='/root/.acme.sh/test.acme.sh'
[Mon Aug 30 23:34:40 UTC 2021] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Aug 30 23:34:40 UTC 2021] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Aug 30 23:34:40 UTC 2021] GET
[Mon Aug 30 23:34:40 UTC 2021] url='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Aug 30 23:34:40 UTC 2021] timeout=
[Mon Aug 30 23:34:40 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Mon Aug 30 23:34:40 UTC 2021] ret='0'
[Mon Aug 30 23:34:40 UTC 2021] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change'
[Mon Aug 30 23:34:40 UTC 2021] ACME_NEW_AUTHZ
[Mon Aug 30 23:34:40 UTC 2021] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Mon Aug 30 23:34:40 UTC 2021] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
[Mon Aug 30 23:34:40 UTC 2021] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert'
[Mon Aug 30 23:34:40 UTC 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Aug 30 23:34:40 UTC 2021] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Aug 30 23:34:40 UTC 2021] ACME_VERSION='2'
[Mon Aug 30 23:34:40 UTC 2021] Le_NextRenewTime
[Mon Aug 30 23:34:41 UTC 2021] _on_before_issue
[Mon Aug 30 23:34:41 UTC 2021] _chk_main_domain='test.acme.sh'
[Mon Aug 30 23:34:41 UTC 2021] _chk_alt_domains
[Mon Aug 30 23:34:41 UTC 2021] Le_LocalAddress
[Mon Aug 30 23:34:41 UTC 2021] d='test.acme.sh'
[Mon Aug 30 23:34:41 UTC 2021] Check for domain='test.acme.sh'
[Mon Aug 30 23:34:41 UTC 2021] _currentRoot='no'
[Mon Aug 30 23:34:41 UTC 2021] Standalone mode.
[Mon Aug 30 23:34:41 UTC 2021] _checkport='80'
[Mon Aug 30 23:34:41 UTC 2021] _checkaddr
[Mon Aug 30 23:34:41 UTC 2021] Using: ss
[Mon Aug 30 23:34:41 UTC 2021] d
[Mon Aug 30 23:34:41 UTC 2021] config file is empty, can not read CA_KEY_HASH
[Mon Aug 30 23:34:41 UTC 2021] Using config home:/root/.acme.sh
[Mon Aug 30 23:34:41 UTC 2021] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Aug 30 23:34:41 UTC 2021] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Aug 30 23:34:41 UTC 2021] RSA key
[Mon Aug 30 23:34:41 UTC 2021] Registering account
[Mon Aug 30 23:34:41 UTC 2021] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
[Mon Aug 30 23:34:41 UTC 2021] payload='{"termsOfServiceAgreed": true}'
[Mon Aug 30 23:34:41 UTC 2021] HEAD
[Mon Aug 30 23:34:41 UTC 2021] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Aug 30 23:34:41 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Mon Aug 30 23:39:39 UTC 2021] _ret='0'
[Mon Aug 30 23:39:39 UTC 2021] POST
[Mon Aug 30 23:39:39 UTC 2021] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
[Mon Aug 30 23:39:39 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Mon Aug 30 23:39:39 UTC 2021] _ret='0'
[Mon Aug 30 23:39:39 UTC 2021] code='201'
[Mon Aug 30 23:39:39 UTC 2021] Registered
[Mon Aug 30 23:39:40 UTC 2021] _accUri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/25100248'
[Mon Aug 30 23:39:40 UTC 2021] Calc CA_KEY_HASH='Qr/Q8kY+gzbweygstcA5fBO/4zL1U4Y2BAOPlBwBDWs='
[Mon Aug 30 23:39:40 UTC 2021] ACCOUNT_THUMBPRINT='EPt9fQYEIhP_iyUCmLYKTXtb3CBJNSGwU95cLFRo5zU'
[Mon Aug 30 23:39:40 UTC 2021] Read key length:
[Mon Aug 30 23:39:40 UTC 2021] Creating domain key
[Mon Aug 30 23:39:40 UTC 2021] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
[Mon Aug 30 23:39:40 UTC 2021] Using config home:/root/.acme.sh
[Mon Aug 30 23:39:40 UTC 2021] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Aug 30 23:39:40 UTC 2021] Use length 2048
[Mon Aug 30 23:39:40 UTC 2021] Using RSA: 2048
[Mon Aug 30 23:39:40 UTC 2021] The domain key is here: /root/.acme.sh/test.acme.sh/test.acme.sh.key
[Mon Aug 30 23:39:40 UTC 2021] _createcsr
[Mon Aug 30 23:39:40 UTC 2021] Single domain='test.acme.sh'
[Mon Aug 30 23:39:40 UTC 2021] Getting domain auth token for each domain
[Mon Aug 30 23:39:40 UTC 2021] d
[Mon Aug 30 23:39:40 UTC 2021] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Mon Aug 30 23:39:40 UTC 2021] payload='{"identifiers": [{"type":"dns","value":"test.acme.sh"}]}'
[Mon Aug 30 23:39:40 UTC 2021] POST
[Mon Aug 30 23:39:40 UTC 2021] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Mon Aug 30 23:39:40 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Mon Aug 30 23:39:40 UTC 2021] _ret='0'
[Mon Aug 30 23:39:40 UTC 2021] code='201'
[Mon Aug 30 23:39:40 UTC 2021] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/25100248/424278398'
[Mon Aug 30 23:39:40 UTC 2021] GET
[Mon Aug 30 23:39:40 UTC 2021] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/392081458'
[Mon Aug 30 23:39:40 UTC 2021] timeout=
[Mon Aug 30 23:39:40 UTC 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Mon Aug 30 23:39:41 UTC 2021] ret='0'
[Mon Aug 30 23:39:41 UTC 2021] d='test.acme.sh'
[Mon Aug 30 23:39:41 UTC 2021] Getting webroot for domain='test.acme.sh'
[Mon Aug 30 23:39:41 UTC 2021] _w='no'
[Mon Aug 30 23:39:41 UTC 2021] _currentRoot='no'
[Mon Aug 30 23:39:41 UTC 2021] get to authz error.
[Mon Aug 30 23:39:41 UTC 2021] _authorizations_map=',{"type":"urn:ietf:params:acme:error:malformed","detail":"Method not allowed","status": 405}
'
[Mon Aug 30 23:39:41 UTC 2021] pid
[Mon Aug 30 23:39:41 UTC 2021] No need to restore nginx, skip.
[Mon Aug 30 23:39:41 UTC 2021] _clearupdns
[Mon Aug 30 23:39:41 UTC 2021] skip dns.
[Mon Aug 30 23:39:41 UTC 2021] _on_issue_err
[Mon Aug 30 23:39:41 UTC 2021] Please add '--debug' or '--log' to check more details.
[Mon Aug 30 23:39:41 UTC 2021] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Aug 30 23:39:41 UTC 2021] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1g FIPS  21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
   options:
      -V     print version and feature information to stdout, and exit
      -h|-?  print a help text describing command line options and addresses
      -hh    like -h, plus a list of all common address option names
      -hhh   like -hh, plus a list of all available address option names
      -d     increase verbosity (use up to 4 times; 2 are recommended)
      -D     analyze file descriptors before loop
      -ly[facility]  log to syslog, using facility (default is daemon)
      -lf<logfile>   log to file
      -ls            log to stderr (default if no other log)
      -lm[facility]  mixed log mode (stderr during initialization, then syslog)
      -lp<progname>  set the program name used for logging
      -lu            use microseconds for logging timestamps
      -lh            add hostname to log messages
      -v     verbose data traffic, text
      -x     verbose data traffic, hexadecimal
      -b<size_t>     set data buffer size (8192)
      -s     sloppy (continue on error)
      -t<timeout>    wait seconds before closing second channel
      -T<timeout>    total inactivity timeout in seconds
      -u     unidirectional mode (left to right)
      -U     unidirectional mode (right to left)
      -g     do not check option groups
      -L <lockfile>  try to obtain lock, or fail
      -W <lockfile>  try to obtain lock, or wait
      -4     prefer IPv4 if version is not explicitly specified
      -6     prefer IPv6 if version is not explicitly specified
   bi-address:
      pipe[,<opts>]     groups=FD,FIFO
      <single-address>!!<single-address>
      <single-address>
   single-address:
      <address-head>[,<opts>]
   address-head:
      abstract-client:<filename>        groups=FD,SOCKET,RETRY,UNIX
      abstract-connect:<filename>       groups=FD,SOCKET,RETRY,UNIX
      abstract-listen:<filename>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
      abstract-recv:<filename>  groups=FD,SOCKET,RETRY,UNIX
      abstract-recvfrom:<filename>      groups=FD,SOCKET,CHILD,RETRY,UNIX
      abstract-sendto:<filename>        groups=FD,SOCKET,RETRY,UNIX
      create:<filename> groups=FD,REG,NAMED
      exec:<command-line>       groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      fd:<num>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      gopen:<filename>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
      interface:<interface>     groups=FD,SOCKET
      ip-datagram:<host>:<protocol>     groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recv:<protocol>        groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recvfrom:<protocol>    groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
      ip-sendto:<host>:<protocol>       groups=FD,SOCKET,IP4,IP6
      ip4-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP4
      ip4-recv:<protocol>       groups=FD,SOCKET,RANGE,IP4
      ip4-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP4
      ip4-sendto:<host>:<protocol>      groups=FD,SOCKET,IP4
      ip6-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP6
      ip6-recv:<protocol>       groups=FD,SOCKET,RANGE,IP6
      ip6-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP6
      ip6-sendto:<host>:<protocol>      groups=FD,SOCKET,IP6
      open:<filename>   groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
      openssl:<host>:<port>     groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
      openssl-listen:<port>     groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
      pipe:<filename>   groups=FD,FIFO,NAMED,OPEN
      proxy:<proxy-server>:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
      pty       groups=FD,NAMED,TERMIOS,PTY
      readline  groups=FD,READLINE,TERMIOS
      sctp-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
      sctp-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
      sctp4-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
      sctp4-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
      sctp6-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
      sctp6-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
      socket-connect:<domain>:<protocol>:<remote-address>       groups=FD,SOCKET,CHILD,RETRY
      socket-datagram:<domain>:<type>:<protocol>:<remote-address>       groups=FD,SOCKET,RANGE
      socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
      socket-recv:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,RANGE
      socket-recvfrom:<domain>:<type>:<protocol>:<local-address>        groups=FD,SOCKET,CHILD,RANGE
      socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
      socks4:<socks-server>:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      socks4a:<socks-server>:<host>:<port>      groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      stderr    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdin     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdio     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdout    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      system:<shell-command>    groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
      tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
      tcp4-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
      tcp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
      tcp6-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
      tcp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
      tun[:<ip-addr>/<bits>]    groups=FD,CHR,NAMED,OPEN,INTERFACE
      udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
      udp-datagram:<host>:<port>        groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
      udp-recv:<port>   groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-recvfrom:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
      udp-sendto:<host>:<port>  groups=FD,SOCKET,IP4,IP6,UDP
      udp4-connect:<host>:<port>        groups=FD,SOCKET,IP4,UDP
      udp4-datagram:<remote-address>:<port>     groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
      udp4-recv:<port>  groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-recvfrom:<host>:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
      udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
      udp6-connect:<host>:<port>        groups=FD,SOCKET,IP6,UDP
      udp6-datagram:<host>:<port>       groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
      udp6-recv:<port>  groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-recvfrom:<port>      groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
      udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
      unix-client:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-connect:<filename>   groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-listen:<filename>    groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
      unix-recv:<filename>      groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-recvfrom:<filename>  groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
      unix-sendto:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX

rg305 · August 31, 2021, 12:08am

Please show the output of:
curl -v https://acme-v01.api.letsencrypt.org/directory

And we never got to see the output of:
./acme.sh -v
or maybe:
/root/.acme.sh/acme.sh -v

gariac · August 31, 2021, 12:33am

Well I did paste the version info. Who knows....

sh-4.2# ./acme.sh -v

v2.8.0

sh-4.2# curl -v https://acme-v01.api.letsencrypt.org/directory

About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
Trying 172.65.32.248...
Connected to acme-v01.api.letsencrypt.org (172.65.32.248) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:

  subject: CN=acme-v01.api.letsencrypt.org

```
  start date: Aug 18 15:37:44 2021 GMT
```

  expire date: Nov 16 15:37:42 2021 GMT

  common name: acme-v01.api.letsencrypt.org

```
  issuer: CN=R3,O=Let's Encrypt,C=US
```

GET /directory HTTP/1.1
User-Agent: curl/7.29.0
Host: acme-v01.api.letsencrypt.org
Accept: /

< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Tue, 31 Aug 2021 00:25:56 GMT
< Content-Type: application/problem+json
< Content-Length: 333
< Connection: keep-alive
< ETag: "611d36ee-14d"
<
{
"type": "urn:acme:error:serverInternal",
"detail": "ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information."
}

Connection #0 to host acme-v01.api.letsencrypt.org left intact

rg305 · August 31, 2021, 1:34am

OK that all seems good.

Let's have a look at this output:
grep -r v01 */*.conf

gariac · August 31, 2021, 2:26am

Unfortunately I am not finding any .conf files. In which directory should I be running the grep?

pwd
/usr/local/src/acme.sh
sh-4.2# grep -r v01 /.conf
grep: /.conf: No such file or directory

Here are the directory trees

ls -l
total 200
-rwxr-xr-x 1 root root 168574 Aug 25 2018 acme.sh
drwxr-xr-x 2 root root 4096 Aug 25 2018 deploy
drwxr-xr-x 2 root root 4096 Aug 25 2018 dnsapi
-rw-r--r-- 1 root root 1418 Aug 25 2018 Dockerfile
-rw-r--r-- 1 root root 17694 Aug 25 2018 README.md
cd deploy
sh-4.2# ls -l
total 88
-rw-r--r-- 1 root root 512 Aug 25 2018 apache.sh
-rw-r--r-- 1 root root 1817 Aug 25 2018 cpanel_uapi.sh
-rw-r--r-- 1 root root 484 Aug 25 2018 dovecot.sh
-rw-r--r-- 1 root root 3208 Aug 25 2018 exim4.sh
-rw-r--r-- 1 root root 3861 Aug 25 2018 fritzbox.sh
-rw-r--r-- 1 root root 1518 Aug 25 2018 haproxy.sh
-rw-r--r-- 1 root root 669 Aug 25 2018 keychain.sh
-rwxr-xr-x 1 root root 2880 Aug 25 2018 kong.sh
-rwxr-xr-x 1 root root 592 Aug 25 2018 myapi.sh
-rw-r--r-- 1 root root 512 Aug 25 2018 mysqld.sh
-rw-r--r-- 1 root root 509 Aug 25 2018 nginx.sh
-rw-r--r-- 1 root root 518 Aug 25 2018 opensshd.sh
-rw-r--r-- 1 root root 518 Aug 25 2018 pureftpd.sh
-rw-r--r-- 1 root root 9877 Aug 25 2018 README.md
-rw-r--r-- 1 root root 8084 Aug 25 2018 ssh.sh
-rw-r--r-- 1 root root 1370 Aug 25 2018 strongswan.sh
-rw-r--r-- 1 root root 2904 Aug 25 2018 unifi.sh
-rw-r--r-- 1 root root 1628 Aug 25 2018 vault_cli.sh
-rw-r--r-- 1 root root 3166 Aug 25 2018 vsftpd.sh

sh-4.2# cd dnsapi/
sh-4.2# ls -l
total 352
-rw-r--r-- 1 root root 1814 Aug 25 2018 dns_acmedns.sh
-rwxr-xr-x 1 root root 3464 Aug 25 2018 dns_ad.sh
-rwxr-xr-x 1 root root 5100 Aug 25 2018 dns_ali.sh
-rw-r--r-- 1 root root 5991 Aug 25 2018 dns_autodns.sh
-rwxr-xr-x 1 root root 10950 Aug 25 2018 dns_aws.sh
-rw-r--r-- 1 root root 12348 Aug 25 2018 dns_azure.sh
-rwxr-xr-x 1 root root 5409 Aug 25 2018 dns_cf.sh
-rwxr-xr-x 1 root root 5122 Aug 25 2018 dns_cloudns.sh
-rwxr-xr-x 1 root root 4027 Aug 25 2018 dns_cx.sh
-rw-r--r-- 1 root root 9966 Aug 25 2018 dns_cyon.sh
-rwxr-xr-x 1 root root 5644 Aug 25 2018 dns_da.sh
-rwxr-xr-x 1 root root 7497 Aug 25 2018 dns_dgon.sh
-rw-r--r-- 1 root root 4811 Aug 25 2018 dns_dnsimple.sh
-rwxr-xr-x 1 root root 3662 Aug 25 2018 dns_do.sh
-rwxr-xr-x 1 root root 3823 Aug 25 2018 dns_dp.sh
-rw-r--r-- 1 root root 2186 Aug 25 2018 dns_dreamhost.sh
-rwxr-xr-x 1 root root 3624 Aug 25 2018 dns_duckdns.sh
-rw-r--r-- 1 root root 7990 Aug 25 2018 dns_dyn.sh
-rw-r--r-- 1 root root 5111 Aug 25 2018 dns_dynu.sh
-rw-r--r-- 1 root root 9441 Aug 25 2018 dns_euserv.sh
-rwxr-xr-x 1 root root 11595 Aug 25 2018 dns_freedns.sh
-rwxr-xr-x 1 root root 2915 Aug 25 2018 dns_gandi_livedns.sh
-rwxr-xr-x 1 root root 4180 Aug 25 2018 dns_gd.sh
-rwxr-xr-x 1 root root 6249 Aug 25 2018 dns_he.sh
-rw-r--r-- 1 root root 3331 Aug 25 2018 dns_infoblox.sh
-rwxr-xr-x 1 root root 8213 Aug 25 2018 dns_inwx.sh
-rwxr-xr-x 1 root root 6652 Aug 25 2018 dns_ispconfig.sh
-rw-r--r-- 1 root root 3382 Aug 25 2018 dns_kinghost.sh
-rw-r--r-- 1 root root 1991 Aug 25 2018 dns_knot.sh
-rwxr-xr-x 1 root root 2196 Aug 25 2018 dns_lexicon.sh
-rwxr-xr-x 1 root root 4703 Aug 25 2018 dns_linode.sh
-rw-r--r-- 1 root root 5536 Aug 25 2018 dns_loopia.sh
-rwxr-xr-x 1 root root 3984 Aug 25 2018 dns_lua.sh
-rw-r--r-- 1 root root 3924 Aug 25 2018 dns_me.sh
-rwxr-xr-x 1 root root 943 Aug 25 2018 dns_myapi.sh
-rwxr-xr-x 1 root root 4283 Aug 25 2018 dns_namecom.sh
-rwxr-xr-x 1 root root 3635 Aug 25 2018 dns_namesilo.sh
-rw-r--r-- 1 root root 3934 Aug 25 2018 dns_nsone.sh
-rwxr-xr-x 1 root root 1725 Aug 25 2018 dns_nsupdate.sh
-rwxr-xr-x 1 root root 7786 Aug 25 2018 dns_ovh.sh
-rwxr-xr-x 1 root root 5457 Aug 25 2018 dns_pdns.sh
-rw-r--r-- 1 root root 3712 Aug 25 2018 dns_selectel.sh
-rwxr-xr-x 1 root root 4476 Aug 25 2018 dns_servercow.sh
-rw-r--r-- 1 root root 1603 Aug 25 2018 dns_tele3.sh
-rw-r--r-- 1 root root 5231 Aug 25 2018 dns_unoeuro.sh
-rwxr-xr-x 1 root root 3722 Aug 25 2018 dns_vscale.sh
-rwxr-xr-x 1 root root 3270 Aug 25 2018 dns_yandex.sh
-rw-r--r-- 1 root root 3166 Aug 25 2018 dns_zilore.sh
-rw-r--r-- 1 root root 2130 Aug 25 2018 dns_zonomi.sh
-rw-r--r-- 1 root root 26069 Aug 25 2018 README.md

rg305 · August 31, 2021, 2:29am

Sorry I guess in the directory where acme.sh stores its' files.
Try:
grep -r v01 /root/.acme.sh/*/*.conf

gariac · August 31, 2021, 2:31am

Nothing to be sorry about. I'm thrilled this is being addressed so quickly, Seriously.

grep -r v01 /root/.acme.sh//.conf
/root/.acme.sh/inplanesight.org/inplanesight.org.conf:Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert'
/root/.acme.sh/lazygranch.com/lazygranch.com.conf:Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert'
sh-4.2#

rg305 · August 31, 2021, 2:33am

OK, I'm not an acme.sh guru or anything of the sorts...
But I would edit those two files and replace v01 with v02
It might make no difference at all - or who knows, it might.
Either way, I'm pretty sure it can't hurt.

EDIT: If that doesn't work, try upgrading to the latest version (3.0.1).

gariac · August 31, 2021, 3:06am

It worked kicking and screaming. Hard to explain. The first time I didn't know which verification method to use. I tried DNS and that didn't work. However the nginx verification worked. That was for lazygranch.com. When I tried it for inplanesight.org it hung. I got the nonce bug message and control-C out of it yet the cert got updated. Going back to to the conf files, there are three places I should have gone from v1 to v2.

Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength=''
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/(buncha_numbers)'
Le_LinkIssuer='https://acme-v02.api.letsencrypt.org/acme/issuer-cert'

I can leave well enough alone since the new certs were issued or I can try to do a "force" option if you want. I'm leaning towards "it if ain't broke don't fix it."

rg305 · August 31, 2021, 3:15am

No good comes from using --force (99.99% of the times).

Me too...
But before we stick a fork in it:
What says?
/root/.acme.sh/acme.sh --list

gariac · August 31, 2021, 3:30am

I had gone to each website and checked with Chromium regarding the expiration dates. However:

sh-4.2# /root/.acme.sh/acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
inplanesight.org "" no LetsEncrypt.org Tue Aug 31 00:42:46 UTC 2021 Sat Oct 30 00:42:46 UTC 2021
lazygranch.com "" no LetsEncrypt.org Tue Aug 31 00:43:27 UTC 2021 Sat Oct 30 00:43:27 UTC 2021
test.acme.sh "" no LetsEncrypt.org_test

rg305 · August 31, 2021, 3:30am

That looks good to me

gariac · August 31, 2021, 3:31am

OK. Again thanks a lot.

rg305 · August 31, 2021, 3:32am

[I ran out of likes, so I can't click them anymore for a few more hours]
Consider your thanks LIKED

Glad to have helped
Cheers from Miami

#FreeCUBA

system · September 30, 2021, 3:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.