Dry-run uses ACME-V02, renewal uses ACME-V01

mkooring · March 10, 2020, 2:00pm

I am on Ubuntu 16.04
certbot version= 0.31.0

I got an email from Letsencrypt telling me to upgrade from ACMEv1 to ACMEv2.

It sais

According to our records, the software client you’re using to get Let’s
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: x.x.x.x

User agent: CertbotACMEClient/0.31.0 (certbot; Ubuntu 16.04.6 LTS) Authenticator/apache Installer/apache (renew; flags: n) Py/3.5.2

Hostname(s): “xxxxxxxxxxxxx”

Request time: 2020-03-03 03:17:38 UTC

Checking the log confirm this. here is a line from the log:

2020-03-03 04:17:30,472:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.

I have tried to upgrade and I thought I had been success because when I do a dry-run it sais:

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate

The question is, why is the dry run using v2 while the normal renewal uses v1.

The renewal uses the systemd timers and my certbot.service files looks like this:

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

I have noticed that my config file in /etc/letsencrypt/xxxxxx.conf has a hard reference to v1:
server = https://acme-v01.api.letsencrypt.org/directory

Should I change or remove this?

I am lost, please help? Why is the dry-run result different from the renewal?
How do I set the renewal to use acmev2?

Please help.

9peppe · March 10, 2020, 2:04pm

you can set it on the commandline with certbot renew --server and certbot should edit its conf accordingly.

mnordhoff · March 10, 2020, 2:17pm

If you run “apt list --upgradeable”, are all of your packages up-to-date?

If you run “grep ^server /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal/*.conf”, are any of the configuration files forcing the use of the ACMEv1 API?

mkooring · March 10, 2020, 2:19pm

I ran:
sudo certbot -vvv renew --server https://acme-v02.api.letsencrypt.org/directory

And the output looks good.

But when I check my conf files, the hard reference to ACME-V01 is still there:

[renewalparams]
installer = apache
authenticator = apache
account = **************************************
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = “tls-sni-01,http-01”
apache_vhost_root = /etc/apache2/sites-available
apache_ctl = None

What should I do?

Adjust the certbot.service file to include the --server option and hardcode it that way. (does not seem the right thing to do)

9peppe · March 10, 2020, 2:23pm

backup the configuration file and edit it, it should be safe to do so: https://certbot.eff.org/docs/using.html#configuration-file

mkooring · March 10, 2020, 2:25pm

I guess not all of them are update to:
I ran: apt list --upgradeable

Listing… Done
libdrm2/xenial-updates 2.4.91-2~16.04.1 amd64 [upgradable from: 2.4.76-1~ubuntu16.04.1]
python-cryptography/xenial 1.9-1+ubuntu16.04.1+certbot+2 amd64 [upgradable from: 1.2.3-1ubuntu0.2]
python-openssl/xenial,xenial 17.3.0-1~0+ubuntu16.04.1+certbot+1 all [upgradable from: 0.15.1-2ubuntu0.2]
python-requests/xenial,xenial 2.18.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 2.9.1-3ubuntu0.1]
python-urllib3/xenial,xenial 1.21.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 1.13.1-2ubuntu0.16.04.3]
python3-requests/xenial,xenial 2.18.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 2.9.1-3ubuntu0.1]
python3-urllib3/xenial,xenial 1.21.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 1.13.1-2ubuntu0.16.04.3]
ubuntu-minimal/xenial-updates 1.361.4 amd64 [upgradable from: 1.361.1]

How to get these upgraded?
When I do a normal upgrade (sudo apt-get upgrade), it sais
The following packages have been kept back:
libdrm2 python-cryptography python-openssl python-requests python-urllib3 python3-requests python3-urllib3 ubuntu-minimal

And yes, my config file are forcing ACMEv1, as menioned they have a server setting:
server = https://acme-v01.api.letsencrypt.org/directory

Should I change that? Should I remove that?

mnordhoff · March 10, 2020, 2:33pm

Changing it -- change the 1 to 2 -- would work.

I'm 99% sure deleting it would also work; Certbot should use the (correct) default if it's unspecified.

system · April 9, 2020, 2:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.