Certbot Client update - ACMEv2

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.indecisive.eu/

I ran this command: sudo yum install certbot python2-certbot-apache

It produced this output: Package python2-certbot-apache-1.0.0-1.el7.noarch already installed and latest version

My web server is (include version): Apache

The operating system my web server runs on is (include version): Centos7

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

I’ve just received an email indicating I need to update my certbot client due to ACMEv1 support being withdrawn. The issue is that it’s saying I’m already on the most recent version when I try to update/install via yum on Centos7. Any help would be appreciated.

2

Hi @Gillious Welcome to the community!
Please take a look at this thread posted here.
How to update from ACMEv1 to ACMEv2
Hope this helps
Rip

1 Like
3

Hey thanks for the reply,

Is this suggesting I don’t need to update the client but instead edit the conf file to contain the line:
server = https://acme-v02.api.letsencrypt.org/directory ?

4

Are all of your packages up-to-date? I don't know if that yum install command will update other dependencies.

Not exactly. Modern versions of Certbot (including 1.0.0) use it by default. You don't need any server setting at all.

But if you have a setting telling it to use the old server, that may be a problem.

2 Likes
5

I don’t seem to have any setting telling it to use the old server. Maybe the email I got about it using ACMEv1 was wrong?

I’ve already run a yum update and everything else seems to be current.

6

Could there be any server settings in the files in /etc/letsencrypt/renewal/?

7

the contents of the .conf file in there is:

# renew_before_expiry = 30 days
version = 0.24.0
archive_dir = /etc/letsencrypt/archive/indecisive.eu
cert = /etc/letsencrypt/live/indecisive.eu/cert.pem
privkey = /etc/letsencrypt/live/indecisive.eu/privkey.pem
chain = /etc/letsencrypt/live/indecisive.eu/chain.pem
fullchain = /etc/letsencrypt/live/indecisive.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 03f9a7ab99c03ff0d867a25b2fd94fb5
[[webroot_map]]
indecisive.eu = /var/www/html
www.indecisive.eu = /var/www/html
1 Like
8

You could try cat /etc/letsencrypt/cli.ini | grep 'server =' to be sure…

9

cat: /etc/letsencrypt/cli.ini: No such file or directory

10

sorry not a centos expert. @mnordhoff can help you close this question… Not sure where you config files live, but you could grep for acme-v01.api or acme-v02.api to find the answer.

Rip

1 Like
11

Your config file doesn't have any server settings, obviously. So it's clearly correct. :confused:

It's possible to have other Certbot configuration files in your home directory, but most people don't.

That certificate was renewed February 5, right? Were you really using Certbot 0.24.0 a week ago?

Certbot 0.24.0 did use the ACMEv1 API by default.

1 Like
12

Oh, maybe that’s it. I did a yum update just the other day and updated everything. I only got the email today so assumed the cert also got updated today and the client was still not recent enough. Back on the 5th it’s very likely it was the older version and I’m now on 1.0 since I get:
certbot --version

certbot 1.0.0

However, should the conf file still be saying version = 0.24.0 since it’s updated to 1.0.0?

1 Like
13

Ah, that makes sense. We've been sending emails in batches, where each batch contains accounts that used ACMEv1 in the last two weeks. I believe the email is supposed to contain a timestamp of the ACMEv1 activity. Did yours contain that, and does it match up with the theory that your last use of ACMEv1 happened before you did a yum upgrade?

1 Like
14

Yes. The config file just contains a record of what Certbot version was used to issue the certificate. The config file won't be modified again until the certificate is renewed two months from now (or if you force Certbot to issue a new certificate before then). Then it will say 1.0.0, or whatever version you've upgraded to in the meantime.

1 Like
15

Just checked the email again and it does indeed contain a timestamp for the 5th Feb, somehow entirely missed that.

1 Like
16

Thank you, you guys have been most helpful.

3 Likes
17

On further thought, that was two weeks ago. :thinking:

I should make some tea.

2 Likes
18

A post was split to a new topic: Deprecation notice for server that has been torn down

19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.