Acme v02 upgrade from v01

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sh acme.sh to get a new cert prior to expirey (its not crond)

It produced this output:
new-authz error: {“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Validations for new domains are disabled in the V1 API (End of Life Plan for ACMEv1)”,“status”: 403}
[Sun 16 Aug 2020 11:08:56 AEST] Please add ‘–debug’ or ‘–log’ to check more details.
[Sun 16 Aug 2020 11:08:56 AEST] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

My web server is (include version):

The operating system my web server runs on is (include version):
osx 10.11
My hosting provider, if applicable, is:
Cloudflare
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
acme.sh version 2.8.7

Question is how do i upgrade my api to v02 ?
currently it v01 and wont let me renew a cert due for renewal in 5 days

bash-3.2# pwd
/Users/user/.acme.sh/ca/acme-v01.api.letsencrypt.org

/Users/user/.acme.sh/acme.sh --version
v2.8.7

bash-3.2# curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

You will want to tell acme.sh to use an ACMEv2 server instead of the old ACMEv1 server.

First of all, make sure you are on the latest version:

acme.sh --upgrade

Next, you’ll want to register an account with the ACME v2 server (more details at https://github.com/acmesh-official/acme.sh/wiki/Server):

acme.sh --register-account --server letsencrypt

You’ll want to make it your default:

acme.sh --set-default-ca --server letsencrypt

and then try your renewal again:

acme.sh --cron

But account was already created and Certs exist from previous ? Does this not get migrated to new api ?

It’s a question of how acme.sh treats different ACME accounts.

If you follow those instructions, your future renewals will be done on your ACMEv2 account instead of your old ACMEv1 one.

I go through the process you document and its the same result however now the acme-v02 directory has been created

bash-3.2# ls
acme-v01.api.letsencrypt.org acme-v02.api.letsencrypt.org
permissions are correct

i run a multidomain sh script not cron and the result below :

un 16 Aug 2020 18:12:33 AEST] Getting domain auth token for each domain
[Sun 16 Aug 2020 18:12:33 AEST] Getting webroot for domain=‘domain.com’
[Sun 16 Aug 2020 18:12:33 AEST] Getting new-authz for domain=‘domain.com’
[Sun 16 Aug 2020 18:12:36 AEST] The new-authz request is ok.
[Sun 16 Aug 2020 18:12:36 AEST] new-authz error: {“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Validations for new domains are disabled in the V1 API (End of Life Plan for ACMEv1)”,“status”: 403}
[Sun 16 Aug 2020 18:12:36 AEST] Please add ‘–debug’ or ‘–log’ to check more details.
[Sun 16 Aug 2020 18:12:36 AEST] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

Hmm. That’s weird, it worked when I tried it.

The other thing you could do is check ~/.acme.sh/example.com/example.com.conf. There might be a line like:

Le_API='https://acme-v01.api.letsencrypt.org/directory'

Perhaps you can try change it and try again.

nothign there! this is using cloudflare API not port 80 …

the two ca.conf in both directories have different account details also ?
.acme.sh/ca/acme-v01.api.letsencrypt.org acme-v02.api.letsencrypt.org

ACCOUNT_URL='https://acme-v02.api.letsencrypt.org/acme/acct/
ACCOUNT_URL='https://acme-v01.api.letsencrypt.org/acme/reg/

That's fine.

What do you mean? The value is empty? Or the file doesn't exist?

I'm not really sure what we're missing here. The latest version of acme.sh is supposed to automatically upgrade from ACMEv1 to ACMEv2 anyway. And, supposedly, you are using the latest version.

Maybe you can try force ACMEv2 this way:

acme.sh --renew -d example.com --server letsencrypt

the account.conf has set
DEFAULT_ACME_SERVER=‘https://acme-v02.api.letsencrypt.org/directory’

Sorry i found the conf you mentioned and it has multiple referencess to the old api in it :

Le_Webroot=‘dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf’

Le_PreHook=’’

Le_PostHook=’’

Le_RenewHook=’’

Le_API=‘https://acme-v01.api.letsencrypt.org/directory’

Le_Keylength=’’

Le_LinkCert=‘https://acme-v01.api.letsencrypt.org/acme/cert/obfuscatednumber’

Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert

Remove them or edit ? or edit/remove just the single one you mention ?

I’d try the --renew command from my most recent post first.

If that doesn’t work, then you could try modify Le_API.

i use a script for multiple domain names,

original :~/acme.sh/acme.sh --issue -d sub.domain1.com --dns dns_cf -d sub1.domain1.com --dns dns_cf -d sub1.domain2.com --dns dns_cf -d webmail.domain1.com–dns dns_cf -d webmail.domain2.com --dns dns_cf -d webmail.domain2.com --dns dns_cf -d autodiscover.domain1.com --dns dns_cf -d autodiscover.domain2.com --dns dns_cf -d autodiscover.domain2.com–dns dns_cf --force

can i just change to issue to renew ?

:~/acme.sh/acme.sh --renew -d sub.domain1.com --dns dns_cf -d sub1.domain1.com --dns dns_cf -d sub1.domain2.com --dns dns_cf -d webmail.domain1.com–dns dns_cf -d webmail.domain2.com --dns dns_cf -d webmail.domain2.com --dns dns_cf -d autodiscover.domain1.com --dns dns_cf -d autodiscover.domain2.com --dns dns_cf -d autodiscover.domain2.com–dns dns_cf --force --server letsencrypt

I don’t think you need to provide the full details like that.

Have a look at your list of existing certificates:

acme.sh --list

You will see something like:

# acme.sh --list
Main_Domain                      KeyLength  SAN_Domains               Created                          Renew
example.com                      "ec-256"   no                        Fri Jul  3 14:07:11 UTC 2020     Tue Sep  1 14:07:11 UTC 2020

So, the “Main Domain” is example.com.

To renew it with the ACMEv2 server, you can just specify the that, without any other details:

acme.sh --renew -d example.com --server letsencrypt

Thats good to know but the script does other things it stops kerio mail server and copies the keys over ....
When i do the --list at the end of the line it states :https://acme-v01.api.letsencrypt.org/directory Sat 23 May 2020 01:15:17 UTC Wed 22 Jul 2020 01:15:17 UTC

I understand.

--renew remembers that it needs to do all of the install/deploy steps, from the first time you did this. It does this by looking in the .conf file. All those steps are in there as a base64-encoded string.

So you don't need to tell it to do it again. You just need to tell it to change --server.

--renew -d mail.example.com --server letsencrypt
the main domain CAN be a subdomain right ? mail.example.com bc the main example.com is covered by a cloudflare SSL

The “Main Domain” is just the identifier of the existing certificate you are renewing (whatever it says in --list).

The certificate will be exactly the same as it has always been.

Solid Advice, it worked exactly as you suggested, thankyou for you time and patience _az very appreciated.
Could i just then cron that exact command every 60 days ?