Certbot 0.22.0 Release with ACMEv2 and Wildcard Support


#1

Certbot 0.22.0 has been released which includes support for Let’s Encrypt’s upcoming ACMEv2 endpoint and automatically obtaining and installing wildcard certificates.

IMPORTANT NOTE: As initially stated more explicitly by @schoen below, while Certbot now supports a newer version of the ACME protocol and wildcard certificates, these features cannot be used until the ACME server you use Certbot with supports them as well. To track the status of Let’s Encrypt’s support for these features see:

The changelog for the release is:

Added

  • Support for obtaining wildcard certificates and a newer version of the ACME protocol such as the one implemented by Let’s Encrypt’s upcoming ACMEv2 endpoint was added to Certbot and its ACME library. Certbot still works with older ACME versions and will automatically change the version of the protocol used based on the version the ACME CA implements.
  • The Apache and Nginx plugins are now able to automatically install a wildcard certificate to multiple virtual hosts that you select from your server configuration.
  • The certbot install command now accepts the --cert-name flag for selecting a certificate.
  • acme.client.BackwardsCompatibleClientV2 was added to Certbot’s ACME library which automatically handles most of the differences between new and old ACME versions. acme.client.ClientV2 is also available for people who only want to support one version of the protocol or want to handle the differences between versions themselves.
  • certbot-auto now supports the flag --install-only which has the script install Certbot and its dependencies and exit without invoking Certbot.
  • Support for issuing a single certificate for a wildcard and base domain was added to our Google Cloud DNS plugin. To do this, we now require your API credentials have additional permissions, however, your credentials will already have these permissions unless you defined a custom role with fewer permissions than the standard DNS administrator role provided by Google. These permissions are also only needed for the case described above so it will continue to work for existing users. For more information about the permissions changes, see the documentation in the plugin.

Changed

  • We have broken lockstep between our ACME library, Certbot, and its plugins. This means that the different components do not need to be the same version to work together like they did previously. This makes packaging easier because not every piece of Certbot needs to be repackaged to ship a change to a subset of its components.
  • Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot, Certbot’s plugins, and certbot-auto. If you are using certbot-auto on a RHEL 6 based system, it will walk you through the process of installing Certbot with Python 3 and refuse to upgrade to a newer version of Certbot until you have done so.
  • Certbot’s components now work with older versions of setuptools to simplify packaging for EPEL 7.

Fixed

  • Issues caused by Certbot’s Nginx plugin adding multiple ipv6only directives has been resolved.
  • A problem where Certbot’s Apache plugin would add redundant include directives for the TLS configuration managed by Certbot has been fixed.
  • Certbot’s webroot plugin now properly deletes any directories it creates.

More details about these changes can be found on our GitHub repo:


#2

There’s a bug in Certbot 0.22.0 where it no longer properly supports the --allow-subset-of-names flag. This will be fixed shortly with a 0.22.1 release. Sorry for any trouble!


#3

Users, please note that this announcement reflects client-side support, not server-side support, for Let’s Encrypt wildcard certificates. You won’t be able to use this code to get wildcard certificates that browsers accept until the ACMEv2 deployment is complete and active on the Let’s Encrypt server side as well. That process is still underway at the moment.

More information about the server-side status is found in this thread:


#4

Tried to use certbot-auto to obtain a wildcard certificate several minutes ago after you announced the live of ACMEv2, but failed

root@web:~/ssl# ./certbot-auto --version
certbot 0.22.0
root@web:~/ssl# ./certbot-auto -d *.ymeng.net --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.

In log /var/log/letsencrypt/letsencrypt.log, it says

Connection: keep-alive

{
“i4DsctRDgkY”: “Adding random entries to the directory”,
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“meta”: {
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
},
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}
2018-03-13 20:21:07,787:INFO:certbot.main:Obtaining a new certificate
2018-03-13 20:21:07,971:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0016_key-certbot.pem
2018-03-13 20:21:07,972:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0016_csr-certbot.pem
2018-03-13 20:21:07,973:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1157, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 328, in _get_order_and_authorizations
raise errors.Error("The currently selected ACME CA endpoint does"
Error: The currently selected ACME CA endpoint does not support issuing wildcard certificates.

Any good idea?


#5

@ymeng You need to add --server https://acme-v02.api.letsencrypt.org/directory to your Certbot auto command.


#6

I’m working on updates to the Certbot website in response to the new endpoint that’s just waiting on reviews, but while certbot-auto works with the new protocol being used with Let’s Encrypt’s new endpoint, it doesn’t currently include any plugins that automate doing challenges over DNS which Let’s Encrypt requires to issue a wildcard certificate.

Keep an eye on https://certbot.eff.org for instructions on how to obtain a wildcard certificate for your setup.


#7

Thank you! It works with --server!


#8
git clone https://github.com/certbot/certbot
cd certbot
git checkout v0.22.0
sudo ./certbot-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate
sudo ./certbot -d domain.com -d *.domain.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

MAKE SURE you include root domain and wildcard!!

You will need to make 2 TXT records. Follow the instructions provided by certbot.


#9

Awesome. Worked like a charm. No tinkering with DNS recorded needed if the Route53 is your DNS provider


#10

I use the Ubuntu system, and the current version of certbot is 0.21.1. When I update 0.22.0, the prompt is the latest version, is it not supported by the certbot 0.22.0 version?


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.