ACMEv1 to ACMEv2

bigdud · February 9, 2020, 6:55pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jlbell.boldlygoingnowhere.org
I ran this command:

:I am totally lost in trying to make the change to ACMEv2. I don’t understand the terminology and am unfamiliar with the entire topic. Please show me a step by step process to accomplish this. I am a person of reasonable intelligence but am unfamiliar with the world of internet security.

My web server is (include version):

The operating system my web server runs on is (include version):
W10
My hosting provider, if applicable, is:
Self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

JuergenAuer · February 9, 2020, 7:00pm

Hi @bigdud

please check the documentation of your unknown client to see, if ACME-v1 or v2 is used.

ZetaRevan · February 9, 2020, 8:49pm

Windows 10? Not Windows Server, but Windows 10?

bigdud · February 10, 2020, 12:54am

Yes, I host my website on my own server running W10

ZetaRevan · February 10, 2020, 3:20am

Did you install IIS or WAMP server to host your site?

bigdud · February 10, 2020, 3:40am

I use the facilities of IIS to run my website.
In the interest of minimizing the number of transactions between us, let me say that the website has been in use for over a year, and my purpose in posting a question in this forum was to comply with the upgrade to ACMEv2. I’m looking for a step by step procedure to accomplish this.

mnordhoff · February 10, 2020, 4:33am

We can’t really answer that without more information.

What ACME client are you using? In other words, what software are you using to issue Let’s Encrypt certificates?

If your client is still being maintained, all you probably have to do is upgrade to the newest version.

bigdud · February 10, 2020, 5:14pm

Sorry…How do I determine what client I’m using? All I did was to use the LetsEncrypt BAT command via a Windows command prompt. I must be missing something here; I apologize for my ignorance of the subject.

leader · February 10, 2020, 7:50pm

I believe if you point out where did you get that “bat” file in the first place or show its content, it might help.

bigdud · February 11, 2020, 4:03am

This link covers most of the help I had getting set up:

Here’s the BAT file:
[INFO] A Simple ACME Client for Windows (WACS)
[INFO] Software version 1912.2.6907.35819 (RELEASE)
[INFO] IIS version 10.0
[INFO] ACME server https://acme-v01.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
T: (Re)create scheduled task
Q: Quit

Please choose from the menu:

ZetaRevan · February 11, 2020, 4:16am

Oof. I’m not as familiar with IIS & WACS. Not sure if it’s as simple as changing the ACME server source or if you have to upgrade to a new client altogether.

EDIT:
WACS website. v2.1.4 is the latest & uses ACMEv2
https://www.win-acme.com/

bigdud · February 11, 2020, 6:29pm

I will give one of my best cigars and a cold Lagunitas IPA to anyone who can tell me a simple-minded, step-by-step, idiot-level explanation of how to upgrade my website to comply with the ACMEv2 level mentioned in this email I received recently:

According to our records, the software client you’re using to get Let’s
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Your client’s IP address was:

2601:643:104:4230:5122:6e3e:4803:bf9b

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you’re unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don’t know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there’s an existing solution for your question. If there isn’t, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

As a reminder: In the future, Let’s Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you’re working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let’s Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don’t publish a list of IP addresses https://remotedesktop.google.com/access/
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let’s Encrypt

jsha · February 11, 2020, 6:59pm

Based on the output you shared, it sounds like you first set up your website using Windows ACME Simple (WACS), which is also known as win-acme. At the time you first installed, that software did not support ACMEv2, but the latest version does support ACMEv2. So you need to install an updated version.

Try following the instructions at https://www.win-acme.com/manual/getting-started as if you were setting up your website from scratch. Let us know how that goes.

bigdud · February 11, 2020, 11:54pm

OK…followed jsha’s advice and here’s what I got. kinda looks OK but please let me know if does to you…

A simple Windows ACMEv2 client (WACS)
Software version 2.1.4.710 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task looks healthy
Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (1 total)
O: More options…
Q: Quit

Please choose from the menu: n

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: My Website (1 binding)

Site identifier(s) or to choose all:

1: jlbell.boldlygoingnowhere.org (Site 1)

You may either choose to include all listed bindings as host names in your
certificate, or apply an additional filter. Different types of filters are
available.

1: Pick specific bindings from the list
2: Pick bindings based on a search pattern
3: Pick all bindings

How do you want to pick the bindings?: 3

1: jlbell.boldlygoingnowhere.org (Site 1)

Continue with this selection? (y*/n) -

Target generated using plugin IIS: jlbell.boldlygoingnowhere.org
Authorize identifier: jlbell.boldlygoingnowhere.org
Cached authorization result: valid
Requesting certificate [IIS] (any site), (any host)
Store with CertificateStore…
Installing certificate in the certificate store
Adding certificate [IIS] (any site), (any host) @ 2020/2/11 15:50:51 to store WebHosting
Installing with IIS…
Updating existing https binding jlbell.boldlygoingnowhere.org:443 (flags: 1)
Committing 1 https binding changes to IIS
Scheduled task looks healthy
Adding renewal for [IIS] (any site), (any host)
Next renewal scheduled at 2020/4/6 16:51:02

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (2 total)
O: More options…
Q: Quit

Please choose from the menu: Q

jsha · February 12, 2020, 12:41am

Great job! The HTTPS on your site is working fine, and the certificate is newly issued. Looks like you got everything just right.

bigdud · February 12, 2020, 2:43am

To all who helped me get thru this furshlugginer challenge: domo arigato-muchas gracias- multi grazie-dankashoen-etcetera etcetera-ad infinitum-ad nauseum-thank you all for helping out. I’m very grateful for your help!

system · March 13, 2020, 2:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.