Cannot upgrade from ACMEv1 to ACMEv2 protocol

I received this email:

Hi,

According to our records, the software client you’re using to get Let’s
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: 82.223.19.128

User agent: CertbotACMEClient/0.31.0 (certbot; Ubuntu 16.04.6 LTS) Authenticator/webroot Installer/None (renew; flags: n) Py/3.5.2

Hostname(s): “lithotherapie.net”,“www.lithotherapie.net”,“www.yogadebutant.com”,“yogadebutant.com

Request time: 2020-04-13 02:37:33 UTC

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you’re unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don’t know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there’s an existing solution for your question. If there isn’t, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

As a reminder: In the future, Let’s Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you’re working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let’s Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don’t publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let’s Encrypt

I tried to follow the instructions there: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

But when I run sudo certbot --nginx (I choose option 2: renew and replace certificate) I get this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lithotherapie.net
2: www.lithotherapie.net
3: yogadebutant.com
4: www.yogadebutant.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.yogadebutant.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/lithotherapie.net
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/lithotherapie.net
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yogadebutant.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yogadebutant.com
nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/sites-enabled/lithotherapie.net:15
Rolling back to previous server configuration...
nginx: [warn] conflicting server name "lithotherapie.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.lithotherapie.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "lithotherapie.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.lithotherapie.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "lithotherapie.net" on [::]:443, ignored
nginx: [warn] conflicting server name "www.lithotherapie.net" on [::]:443, ignored
nginx restart failed:
b''
b''

IMPORTANT NOTES:
 - We were unable to install your certificate, however, we
   successfully restored your server to its prior configuration.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.yogadebutant.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.yogadebutant.com/privkey.pem
   Your cert will expire on 2020-08-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

My Nginx config files look like this:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name lithotherapie.net www.lithotherapie.net;
	return 301 https://www.lithotherapie.net$request_uri;
}
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name lithotherapie.net;
	include snippets/ssl-lithotherapie.net.conf;
        include snippets/ssl-params.conf;
        return 301 https://www.lithotherapie.net$request_uri;
}

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-lithotherapie.net.conf;
        include snippets/ssl-params.conf;
        server_name www.lithotherapie.net;

        root /var/www/lithotherapie.net/public_html;
        index index.php index.html;

        location ~ /.well-known {
                allow all;
        }

        location / {
                try_files $uri $uri/ /index.php?$args;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_param SCRIPT_FILENAME /var/www/lithotherapie.net/public_html$fastcgi_script_name;
        }
        location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                expires max;
                log_not_found off;
                access_log off;
        }
}

And the second one:

server {
	listen 80;
	listen [::]:80;
	server_name yogadebutant.com www.yogadebutant.com;
	return 301 https://$server_name$request_uri;

	root /var/www/yogadebutant.com/public_html;
	index index.php index.html;

	location ~ /.well-known {
		allow all;
	}

	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		include fastcgi_params;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
		fastcgi_param SCRIPT_FILENAME /var/www/yogadebutant.com/public_html$fastcgi_script_name;
	}
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        include snippets/ssl-yogadebutant.com.conf;
        include snippets/ssl-params.conf;
	server_name yogadebutant.com www.yogadebutant.com;
	root /var/www/yogadebutant.com/public_html;
	index index.php index.html;
	location ~ /.well-known {
		allow all;
	}
	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		include fastcgi_params;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
		fastcgi_param SCRIPT_FILENAME /var/www/yogadebutant.com/public_html$fastcgi_script_name;
	}
}

What should I do to upgrade to ACMEv2 protocol?

2 Likes

certbot 0.31 can work with the ACMEv2 endpoint. You probably have a reference to the ACMEv1 endpoint somewhere in your configuration files.

What is the output of: grep -Ri acme-v01 /etc/letsencrypt/ ?

2 Likes

Hm, strange, looks like the same account.

1 Like

You may have just fixed the problem – replacing your certificate like that replaces the /etc/letsencrypt/renewal/www.yogadebutant.com.conf file. If it was configured to use the old ACMEv1 API before, it isn’t now.

3 Likes

Thanks, so if a dry-run the renewal and it says it’s good, it will still be after June 1?

2 Likes

Yep, that’s correct!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.