Debian jessie Certbot still using AcmeV1 (CertbotACMEClient/1.3.0)?

Hello all,

I have received a couple of emails over the past few months from LetsEncrypt stating that I need to “upgrade to an ACMEv2 compatible client” (extract from the email is below).

However I’m using the LetsEncrypt certbot client - the latest version I used at the time was 1.3.0, it has since auto-updated to 1.4.0.

I run the certbot script (manual) on a separate Debian Jessie VM then manually install the certificate / private key using my hosting provider’s cPanel (I haven’t seen any cPanel plugins for Lets Encrypt from my hosting provider so I have been using this manual process for a number of years without issue).

Do I need to upgrade anything else before the June 1, 2020 deadline for support of the ACMEv1 protocol running out?

I would have thought that the certbot scripts (which do auto-update pretty much every time I run them every three months) should automatically update to NOT use ACMEv1.

Perhaps there are other components I need to update e.g. the Debian distro itself (jessie, which I admit is getting old now - LTS ends on June 30, 2020)

Thanks

Hi,

According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address:  2001:8003:5cae:cf00:a00:27ff:fe1b:35f0

User agent:  CertbotACMEClient/1.3.0 (letsencrypt-auto; Debian GNU/Linux 9 (stretch)) Authenticator/manual Installer/None (certonly; flags: ) Py/2.7.13

Hostname(s):  "[seswhiteboard.com.au](http://seswhiteboard.com.au/)","[www.seswhiteboard.com.au](http://www.seswhiteboard.com.au/)"

Request time:  2020-05-03 01:32:34 UTC

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

My domain is: seswhiteboard.com.au

I ran this command: ./manual seswhiteboard.com.au www.seswhiteboard.com.au

It produced this output:

My web server is (include version): Hosted service

The operating system my web server runs on is (include version): Linux 3.10.0-962.3.2.lve1.5.24.9.el7.x86_64

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 86.0.20

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

What are the contents of the manual script?

What are the results of “grep acme-v01 /etc/letsencrypt/renewal/*.conf”?

Contents of the manual script, from my original install of certbot:

root@jessie:~/letsencrypt# ls -l manual 
-rwxr--r-- 1 root root 1742 May 24  2017 manual
root@jessie:~/letsencrypt# cat manual
#!/bin/sh
#
# Wrapper script for the letsencrypt client to generate a server certificate in
# manual mode. It uses openssl to generate the key and should not modify the
# server configuration. It can be called off-side, i.e. not on the destination
# server.
#
# usage: gencert DOMAIN [DOMAIN...]
#
# This is free and unencumbered software released into the public domain.
# For more information, please refer to http://unlicense.org/

set -e

if [ $# -lt 1 ]; then
    echo "$0: error: at least one domain name required."
    exit 1
fi
domain=$1

shift
other_domains=
while [ $# -gt 0 ]; do
    other_domains="$other_domains,DNS:$1"
    shift
done


country=AU
state="(redacted)"
town="(redacted)"
email=(redacted)@(redacted)

outdir="certs/$domain"
key="$outdir/privkey1.pem"
csr="$outdir/signreq.der"

if [ -d "$outdir" ]; then
    echo "output directory $outdir exists"
    exit 1
fi

tmpdir=
cleanup() {
    if [ -n "$tmpdir" -a -d "$tmpdir" ]; then
        rm -rf "$tmpdir"
    fi
}
trap cleanup INT QUIT TERM EXIT
tmpdir=`mktemp -d -t mkcert-XXXXXXX`

sslcnf="$tmpdir/openssl.cnf"
cat /etc/ssl/openssl.cnf > "$sslcnf"
echo "[SAN]" >> "$sslcnf"
echo "subjectAltName=DNS:$domain$other_domains" >> "$sslcnf"

mkdir -p "$outdir"
openssl req \
    -new -newkey rsa:2048 -sha256 -nodes \
    -keyout "$key" -out "$csr" -outform der \
    -subj "/C=$country/ST=$state/L=$town/O=$domain/emailAddress=$email/CN=$domain" \
    -reqexts SAN \
    -config "$sslcnf"

##	--staging : use if testing
./letsencrypt-auto certonly \
    --authenticator manual \
    --server https://acme-v01.api.letsencrypt.org/directory --text \
    --config-dir letsencrypt/etc --logs-dir letsencrypt/log \
    --work-dir letsencrypt/lib --email "$email" \
    --csr "$csr"

The renewal directory is empty:

root@jessie:~# grep acme-v01 /etc/letsencrypt/renewal/*.conf
grep: /etc/letsencrypt/renewal/*.conf: No such file or directory
root@jessie:~# ls -l /etc/letsencrypt/renewal/
total 0

Recent versions of Certbot default to using ACMEv2, but --server https://acme-v01.api.letsencrypt.org/directory forces it to use ACMEv1. It should use ACMEv2 for new certificates if you remove that option.

Yeah, sorry. I assumed you were probably using the default location, but you’re using --config-dir letsencrypt/etc, so you would have to look in letsencrypt/etc/renewal/*.conf, wherever that is.

You’re also using the --csr option, which stops Certbot from generating renewal configuration files. But you might have other certificates created with other options.

Ok thanks - I’ve removed that option and created a new cert - the current cert doesnt expire until August but the script mostly ran ok apart from asking for the domain name (already supplied on the commandline) and the error at the end which I’ll dig into further. Maybe there is an updated version of the ‘manual’ script available?

root@jessie:~/letsencrypt# diff manual manual.20200515
68,69c68
< #    --server https://acme-v01.api.letsencrypt.org/directory --text \
<     --text \
---
>     --server https://acme-v01.api.letsencrypt.org/directory --text \

root@jessie:~/letsencrypt# ./manual seswhiteboard.com.au www.seswhiteboard.com.au
u
Generating a RSA private key
...........+++++
...............................+++++
writing new private key to 'certs/seswhiteboard.com.au/privkey1.pem'
-----
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): seswhiteboard.com.au
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for seswhiteboard.com.au

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

(redacted)

And make it available on your web server at this URL:

http://seswhiteboard.com.au/.well-known/acme-challenge/(redacted)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
e[1m
IMPORTANT NOTES:
e[0m - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/seswhiteboard.com.au/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/seswhiteboard.com.au/privkey.pem
   Your cert will expire on 2020-08-13. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

./manual: 69: ./manual: --text: not found

Ok, letsencrypt/etc (under /root/letsencrypt) is also mostly empty, no renewal directory and just empty directories otherwise:

root@jessie:~/letsencrypt# pwd
/root/letsencrypt
root@jessie:~/letsencrypt# ls -l letsencrypt/etc/
total 8
drwx------ 4 root root 4096 May 24 2017 accounts
drwxr-xr-x 5 root root 4096 Oct 29 2017 renewal-hooks
root@jessie:~/letsencrypt# ls -l letsencrypt/etc/renewal-hooks/
total 12
drwxr-xr-x 2 root root 4096 Oct 29 2017 deploy
drwxr-xr-x 2 root root 4096 Oct 29 2017 post
drwxr-xr-x 2 root root 4096 Oct 29 2017 pre

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.