Action required: Let's Encrypt client problem - acmetool

I’m using acmetool 0.67 as the client, and I see it is still listed in https://letsencrypt.org/docs/client-options/

Today I received the following email:

Hello,

Action is strongly recommended to prevent problems with your Let’s Encrypt
certificate renewals.

A client you have used to access the Let’s Encrypt API in the past 60 days has
identified itself (its “user agent”) as “Go-http-client”. This is a generic
name for the underlying library that the client uses, which does not give us
enough information to track and resolve problems with the client or clients.

Within the past 60 days, our /new-reg API endpoint received about 707
requests from the IP address (an IPv6 address).

We’ve found that in most cases, the client is an older version of kube-lego or
cert-manager. We’ve worked with Jetstack, the maintainer, to release an update
to each of those packages. If you are using either, we recommend upgrading to
the latest version of cert-manager.

We would like to help fix clients that send our API many requests that will
never complete successfully. It’s possible that in the future, we may need to
block these clients in order to protect our resources. By fixing or upgrading
your client, you can help avoid problems with your certificate renewals.

A list of clients is available here:
https://letsencrypt.org/docs/client-options/

If you need help, please search our forum to see if your question has been
answered, then open a new thread if it has not:
https://community.letsencrypt.org/

Thank you,
Let’s Encrypt Staff

The client is not kube-lego or cert-manager, so I’d like to let the sender know that I use acmetool , and to try to understand if I should change client (as an upgrade doesn’t exists) or what else.

The email sender is a noreply, so I hope a post here can reach the right people.

Here you can see other acmetool users sharing the reception of the same email:

1 Like

Hi @bago

please read

That’s the same problem.

1 Like

As a fellow acmetool user, I’d suggest slowly changing to another client.

It looks increasingly unlikely that the author is going to rescue it before the ACME v1 switch-off happens.

1 Like

I’m using Acme.sh, too, but I still have acmetool on legacy systems, so I’d like to understand how long I can “live” with acmetool and if/when I will be forced to switch to acme.sh the legacy deployments.

I’m not sure I understand: if the problem is ONLY the useragent I could tweak acmetool on my own and make sure it uses an useragent. But if the problem is in the number of requests, then I’d waste my time doing the patch.

From the email content I cannot tell if fixing the user-agent could be all I need, or if the issue are the “many requests that will never complete successfully”: do you have more info/details about this?

I’ve checked acmetool sourcecode and it sounds like it is declaring a complete user-agent:

“acmetool acmeapi Go-http-client/1.1 linux/amd64”

I don’t use / know that client. And I didn’t only read the other topic, so I’ve added a link.

1 Like

in its current state acmetool will be completely broken when ACME v1 is deprecated.

I suspect users of acmetool were mistakenly included in this email batch. @ezekiel can you confirm this?

2 Likes

Yes, confirmed. Requests from acmetool are using a unique UserAgent and were only mistakenly included in the Go-http-client-focused email batch. Sorry for the confusion!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.