Certbot 0.22.2 and ACMEv2

guilhas_rapaz · July 27, 2021, 7:04pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: airtime.radioquantica.com

I ran this command: certbot --apache certonly -n -d airtime.radioquantica.com --server https://acme-v02.api.letsencrypt.org/directory

It produced this output: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/airtime.radioquantica.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/airtime.radioquantica.com/privkey.pem
Your cert will expire on 2021-10-25.

My web server is (include version): apache 2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04.06 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.22.2 / Certbot-auto 0.19

I've run this command, I managed to move from ACMEv1 to ACMEv2 but my site is still not accessible. Can you please give me some hints about what is happening?

I've tried to update certbot to latest version using snap, but installing snap breaks my system, reason why I'm trying to solve it with the current certbot version. There should be a way as certbot 0.22.2 seems to support ACMEv2.

Thanks.

jillian · July 27, 2021, 7:40pm

It looks like you successfully got a certificate from ACMEv2. However, you used certonly mode which does not install the certificate. You likely need to configure (if this is your first cert) or reload (if you are renewing) your apache instance.

After you get your new cert working, you can configure certbot to obtain and install the certificate.

Osiris · July 27, 2021, 8:15pm

airtime.radioquantica.com on port 443 currently has a valid certificate configured issued today, so it seems all worked out.

guilhas_rapaz · July 27, 2021, 10:38pm

Jillian, super thanks!

Reloading apache was the missing step, as I was renewing but at the same time moving from existing ACMEv1 to ACMEv2.

Everything seems to be working again.

Thanks for the quick help.

guilhas_rapaz · August 7, 2021, 9:27am

Hi again, still on this topic, although I've managed to successfully update my certificates for some more months I'm stuck with the renewal process not working anymore. I've tried the --dry-run and I get those Deserialization errors, so I'm assuming I should add somewhere on the renewal Conf files to renew only the certificates from now on, right? Of course, and the post hook to reload apache server. This way it should be possible to bypass this 0.22.2 limitation...I hope.
Any ideas?

Osiris · August 7, 2021, 9:52am

Firstly, I hope you have an Ubuntu Advantage subscription and have Extended Security Maintenance for 14.04.6 LTS? If not, you're running a version of Ubuntu not receiving any security updates any longer and you're strongly advised to update your Ubuntu. And with that, you could probably update your certbot too.

If you do have Extended Security Maintenance, I'd recommend checking out the renewal configuration file at /etc/letsencrypt/renewal/airtime.radioquantica.com.conf to see if the server option is actually updated to the ACMEv2 API or still using the older ACMEv1 API.

guilhas_rapaz · August 7, 2021, 11:26am

Hi Osiris, thanks for the quick reply. I'm aware of the current limitations of running a non supported release, unfortunately helping a non-profit radio means that sometimes we need to cut corners... In the meantime I'm already planning the move to a later OS release that could support our needs but for the time being I need to have the production server running as it is.

Regarding the renewal, I can confirm I've updated the server to ACMEv2 API as v1 has been deprecated, this was the reason that triggered my issues with old certbot 0.22.2. I'm wondering if this error is just because the old version of certbot but if it will work anyway. I will know in a couple of months though.

Osiris · August 7, 2021, 11:41am

If --dry-run doesn't work, the actual renewal will most likely fail too.

I've not yet seen any deserialization error in this thread, perhaps it's a good idea to open a new thread to tackle those, as it seems to be something different entirely. Perhaps due to the very old nature of certbot too.

Also, I'm not an IT specialist, but I don't really understand how helping a non-profit organisation would mean you need to cut corners if those corners mean introducing security issues, potentially getting your non-profit organisation into serious trouble. Especially as these products are open source and free of charge. To me, this sounds like taking a grave and possibly unnecessary risk.

system · September 6, 2021, 11:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.