Action required: New feature and your Let's Encrypt integration

Hi,

I received the following email. Could you please let me know how I can test this or verify if my server had any issues related to this. Kindly update if any changes are needed to be made on my centos and ubuntu servers.

Starting Feb. 19, 2020, Let’s Encrypt began making multiple domain validation
requests from diverse network vantage points. More info here:

We are excited to be able to turn on this feature with little to no
interference with your integration. We expect this feature to affect less than
1% of all domain validations from the Let’s Encrypt certificate authority.
That’s better security, by default, for you and your customers.

Your ACME account ID may have some errors and failed validations
due to the multiple vantage point validation feature. We suggest you monitor
your implementation when the feature is turned on and make any fixes necessary.

In case you’re having trouble locating your affected system(s): your ACME
account recently requested a certificate on 2019-12-31 2020-01-21 for:
$example.com

The best way to test compatibility for this feature is to perform test
issuances in our staging environment where the new requirement is already
enabled: https://letsencrypt.org/docs/staging-environment/

Exception:

If you need extra time to work on getting your integration ready for multiple
vantage point validation, we will have an exception list available through June
1, 2020: https://forms.gle/9QN7dxALJVAoRjMKA

This exception list is temporary. After June 1, 2020, you will be using the
multiple vantage point feature and may experience increased domain validation
failure rates unless you take action to ensure compatibility.

Getting Help:

Our expert community, including Let’s Encrypt staff and many client developers,
monitor our community forum and are available to help if you get stuck.
https://community.letsencrypt.org/

The best way to keep up-to-date on this new feature (and all API-related Let’s
Encrypt announcements) is to subscribe to our API announcements by clicking the
bell in the top right corner of this page:
https://community.letsencrypt.org/c/api-announcements/

Hi @connaxisadmin

please answer all of the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


The action is client specific. So check the log and the configurations files of your client.

My domain is: www.flat.sebdelaweb.com

I ran this command: I didn’t run any command

It produced this output: Nill

My web server is (include version): nginx 1.16

The operating system my web server runs on is (include version): CentOS Linux release 7.7.1908 (Core)

My hosting provider, if applicable, is: Nill

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, root access is there

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel is used

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version

certbot 1.0.0

Then check your config files and your log, if there is an acme-v01.api.letsencrypt.org string.

Config files -> change it to acme-v02.api.letsencrypt.org.

Hope you don’t use the --server option with 01.

These are the results that I found:

#grep -r “acme-v01.api.letsencrypt.org” /opt/letsencrypt/

certbot/tests/storage_test.py: rp[“server”] = “https://acme-v01.api.letsencrypt.org/directory
certbot/constants.py: server=“https://acme-v01.api.letsencrypt.org/directory”,

grep -r “acme-v02.api.letsencrypt.org” /opt/letsencrypt/

certbot/tests/storage_test.py: rp[“server”] = “https://acme-v02.api.letsencrypt.org/directory

What should I do about this ?

I am renewing my ssl sites using the following command:

/opt/letsencrypt/letsencrypt-auto renew --renew-hook “/usr/bin/systemctl reload nginx”

/opt/letsencrypt/letsencrypt-auto --version

certbot 1.2.0

@JuergenAuer I think you’re confusing two different notifications here. There are notifications going out warning users if they are still using the ACMEv1 API for renewals; there are also notifications going out warning users if their recent renewals would have failed the multi-perspective validation process. This is a new process which is separate from the ACMEv1/ACMEv2 issue and is an independent reason that a user’s future renewals could fail.

In this case, @connaxisadmin received the other warning. This could be related to slow DNS updates, or to a firewall that blocks incoming connections from certain IP addresses (like whitelisting an old validation IP address and blocking other port 80 connections, or something).

If you run “/opt/letsencrypt/letsencrypt-auto renew --dry-run”, is it successful? What does it output?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.