ACMEv1 notice after upgrading Certbot

Help
1

I’m hitting a similar problem. Honestly I’ve put off updating because I just became a parent when the first email arrived.

I’m running my server on GCP, and I following the links from the email it was unclear how to update. After struggling a bit to remember how this was all set up initially almost 2 years ago, last week I got my certbot package updated (I thought) to a version that would support the required changes. I did the aptget update and the versions were bumped, so I thought that was it.

Now I’ve received another notice that my client is using acmev1 so I’m not sure what’s wrong. I know this is a community effort and there a ton of configurations to try to support, so I’m sympathetic and not demanding anything. I do think it would help us all to use best practices if there were clearer guidance for checking/updating versions or validation of the results.

1 Like
2

Hello. I’ve moved your post to a new thread. Can you fill out the questionnaire below?

The most likely reasons might be:

  • Certbot is explicitly configured to use the ACMEv1 API. You can check the renewal configuration files with something like “grep acme-v01 /etc/letsencrypt/renewal/*.conf”. It can be set in other configuration files as well.

  • The newer version of Certbot you upgraded to is still too old. Current OSes are usually fine, but older ones might not have a new enough version packaged, or apt may have installed an older version due to some kind of issue.

  • Part of Certbot was upgraded and part of it wasn’t. Linux distros usually split parts of Certbot up into a few different packages. If some of them are out-of-date, it might work, but it obviously won’t act entirely like it’s up-to-date.

  • You may have totally solved the problem when you upgraded Certbot! But Let’s Encrypt might have sent the email based on their API logs from right before you upgraded it.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2 Likes
3

My domain is: netsecconsult.com

I ran this command: certbot-auto --version

It produced this output:

[ec2-user@www ~]$ ./certbot-auto --version

Requesting to rerun ./certbot-auto with root privileges…

Upgrading certbot-auto 1.4.0 to 1.5.0…

Replacing certbot-auto…

Creating virtual environment…

Installing Python packages…

Installation succeeded.

Traceback (most recent call last):

File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in

from certbot.main import main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in

from certbot._internal import main as internal_main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in

import josepy as jose

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in

from josepy.interfaces import JSONDeSerializable

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in

from josepy import errors, util

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in

import OpenSSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in

from OpenSSL import crypto, SSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in

from cryptography import x509

ImportError: No module named cryptography

[ec2-user@www ~]$

My web server is (include version): Apache 2.2.34

[ec2-user@www ~]$ apachectl -V

Server version: Apache/2.2.34 (Unix)

Server built: Nov 1 2017 18:47:16

Server’s Module Magic Number: 20051115:43

Server loaded: APR 1.5.2, APR-Util 1.5.4

Compiled using: APR 1.5.1, APR-Util 1.4.1

Architecture: 64-bit

Server MPM: Prefork

threaded: no

forked: yes (variable process count)

Server compiled with…

-D APACHE_MPM_DIR=“server/mpm/prefork”

-D APR_HAS_SENDFILE

-D APR_HAS_MMAP

-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)

-D APR_USE_SYSVSEM_SERIALIZE

-D APR_USE_PTHREAD_SERIALIZE

-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT

-D APR_HAS_OTHER_CHILD

-D AP_HAVE_RELIABLE_PIPED_LOGS

-D DYNAMIC_MODULE_LIMIT=128

-D HTTPD_ROOT="/etc/httpd"

-D SUEXEC_BIN="/usr/sbin/suexec"

-D DEFAULT_PIDLOG=“run/httpd.pid”

-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”

-D DEFAULT_LOCKFILE=“logs/accept.lock”

-D DEFAULT_ERRORLOG=“logs/error_log”

-D AP_TYPES_CONFIG_FILE=“conf/mime.types”

-D SERVER_CONFIG_FILE=“conf/httpd.conf”

[ec2-user@www ~]$

The operating system my web server runs on is (include version): Amazon Linux AMI, version 2018.03

[ec2-user@www ~]$ cat /etc/os-release

NAME=“Amazon Linux AMI”

VERSION=“2018.03”

ID=“amzn”

ID_LIKE=“rhel fedora”

VERSION_ID=“2018.03”

PRETTY_NAME=“Amazon Linux AMI 2018.03”

ANSI_COLOR=“0;33”

CPE_NAME=“cpe:/o:amazon:linux:2018.03:ga”

HOME_URL=“http://aws.amazon.com/amazon-linux-ami/

[ec2-user@www ~]$

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

unknown. It was running v1.4 before upgrade. The upgrade was to v1.5 but it looks like the upgrade did not take.

[ec2-user@www ~]$ sudo ./certbot-auto --version

Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:

Traceback (most recent call last):

File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in

from certbot.main import main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in

from certbot._internal import main as internal_main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in

import josepy as jose

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in

from josepy.interfaces import JSONDeSerializable

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in

from josepy import errors, util

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in

import OpenSSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in

from OpenSSL import crypto, SSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in

from cryptography import x509

ImportError: No module named cryptography

[ec2-user@www ~]$

1 Like
4

Wait, are @goorpy and @intheclouds the same person? Or coworkers or something?

1 Like
5

Nope, we’re different people with no connection I’m aware of! I’m guessing they just chose to piggy back on this post :man_shrugging:

Thanks @mnordhoff for splitting this off – I wasn’t sure where or what to post to get more help.

Based on further reading since the unexpected email this week, I suspect the problem is the one where my updated Certbot is still too old. It was 0.25 and updated to 0.28, but I see latest is now 1.5, so I am far behind still. I checked my renewal config file and there is no explicit mention of acme-v01, though it does have a version = 0.25.0 line. Should I update that version now?

To answer you questionnaire:

My domain is: voistory.com

I ran this command & It produced this output:

$ sudo certbot --version
--> certbot 0.25.0
$ sudo apt-get update
--> usual messages but with some errors about signatures failing for google cloud repositories
$ sudo apt-get upgrade certbot
--> (Very long output here)
$ sudo certbot --version
--> certbot 0.28.0
$ systemctl list-timers
--> (... other timers...) Thu 2020-06-04 09:45:02 UTC  4h 6min left Wed 2020-06-03 23:47:26 UTC  5h 50min ago certbot.timer                certbot.service

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): Linux 4.9.0-6-amd64 / Debian 4.9.88-1+deb9u1

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Thanks again for taking a look, Matt!

1 Like
6

That makes it seem like it did upgrade...

Do you still get a "mess" when you try to upgrade?:

1 Like
7

0.28.0 isn’t the newest, but it’s new enough. I think the minimum working version would be 0.27.0. So it barely clears the hurdle. :smile:

If you just run “sudo apt-get upgrade” instead of “sudo apt-get upgrade certbot”, are there other things that need to be upgraded?

Or if you run “apt list --upgradeable”, is there anything with “certbot” or “acme” in the name that needs to be upgraded?

1 Like
8

Matt:

I did answer this question in the prior e-mail you sent, but with the other people on this thread just wanted to confirm that my Linux VM was running certbot v1.4 before upgrade. The upgrade was to v1.5 but it looks like the upgrade did not take.

Output is below:

[ec2-user@www ~]$ sudo ./certbot-auto --version

Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:

Traceback (most recent call last):

File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in

from certbot.main import main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in

from certbot._internal import main as internal_main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in

import josepy as jose

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in

from josepy.interfaces import JSONDeSerializable

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in

from josepy import errors, util

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in

import OpenSSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in

from OpenSSL import crypto, SSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in

from cryptography import x509

ImportError: No module named cryptography

1 Like
9

Do you still get a “mess” when you try to upgrade?:

No @rg305 - with certbot there I get no actual installs/changes:

$ sudo apt-get upgrade certbot
--> ... certbot is already the newest version (0.28.0-1~deb9u2). ...

@mnordhoff :relieved: hah, alright, so this might actually pass for now.

I don't get much when I run the listing commend, just base os versions as far as i can tell:

$ apt list --upgradeable -a
--> Listing... Done
linux-image-amd64/stretch-backports,stretch-backports 4.19+105+deb10u3~bpo9+1 amd64
linux-image-amd64/oldstable 4.9+80+deb9u10 amd64 [upgradable from: 4.9+80+deb9u4]
linux-image-amd64/oldstable 4.9+80+deb9u6 amd64
linux-image-amd64/now 4.9+80+deb9u4 amd64 [installed,upgradable to: 4.9+80+deb9u10]
1 Like
10

[ec2-user@www ~]$ ./certbot-auto --version

Requesting to rerun ./certbot-auto with root privileges…

Upgrading certbot-auto 1.4.0 to 1.5.0…

Replacing certbot-auto…

Creating virtual environment…

Installing Python packages…

Installation succeeded.

Traceback (most recent call last):

File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in

from certbot.main import main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 2, in

from certbot._internal import main as internal_main

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py”, line 10, in

import josepy as jose

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py”, line 41, in

from josepy.interfaces import JSONDeSerializable

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 7, in

from josepy import errors, util

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 7, in

import OpenSSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py”, line 8, in

from OpenSSL import crypto, SSL

File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py”, line 12, in

from cryptography import x509

ImportError: No module named cryptography

[ec2-user@www ~]$

1 Like
11

Before this topic gets finished I just wanted to congratulate you on becoming a new parent. :smiley:

2 Likes
12

So it never actually upgrades…

1 Like
13

Thanks @JimPas ! It’s been a whirlwind six months, and a rapid correction of priorities away from my own personal code projects :joy:

3 Likes
14

Closing the loop here, I haven’t received another notice about this, so I suspect (but cannot prove) that the notice I got after updating certbot was triggered by a cert refresh that happened slightly before I updated. I think I’m OK for now, then.

Thanks for the help everybody!

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.