Got an email about use of ACMEv1 when I'm using v2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bespoke.e-shopdesigner.com

I ran this command:

It produced this output:

My web server is (include version): nginx/1.17.8, Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 16.04
4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: DigitalOcean droplet using serverpilot

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Hi, I got an email today saying I'm using ACMEv1 but after checking I can't see how I am.

According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: 139.59.183.146

User agent: CertbotACMEClient/0.31.0 (certbot; Ubuntu 16.04.6 LTS) Authenticator/webroot Installer/None (renew; flags: n hook) Py/3.5.2

Hostname(s): "bespoke.e-shopdesigner.com"

Request time: 2020-02-14 02:05:36 UTC

Certbot is up to date, and the log has no entry for the timestamp referenced and it shows all requests going to acme-staging-v02 so I'm confused.

Extract from /var/log/letsencrypt/letsencrypt.log:

2020-02-20 10:16:10,889:DEBUG:acme.client:Storing nonce: >0002O5ys1B7Em0XGbVZ4Bpt5LxlcXQue6nNnFybowvPrx_E
2020-02-20 10:16:10,890:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "bespoke.e-shopdesigner.com"\n }\n ]\n}'
2020-02-20 10:16:10,893:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:

The only slight oddity I can't resolve is a possible dependency issue, but certbot renew --dry-run seems to work fine. e.g. if I run certbot --version, I get:

/usr/lib/python3/dist-packages/requests/init.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!
RequestsDependencyWarning)
certbot 0.31.0

Any ideas? Was that email sent in error?

Cheers!
Ian

Hi @esd-hosting

that's the test system, not the productive system.

Check your Certbot config file if there is an acme-v01 defined. Or if your standard command has a (wrong) --server option.

I’m not sure if this could be a factor, but are you sure all of Certbot’s components are up-to-date? If you run “sudo apt update” and “apt list --upgradeable”, does anything need to be upgraded?

Thanks. Yes I think that was because of the --dry-run.
I found that the renewal config file was using the acme-v01 server, so I've now changed it to:

renewal/bespoke.e-shopdesigner.com.conf:14:server = https://acme-v02.api.letsencrypt.org/directory

I think that will fix it.
Cheers!
Ian

Yes, everything seems to be up to date, so not sure why I get the dependency warning.
Maybe it doesn’t matter. I think the config file change I’ve made will fix the main ACME version issue.
Cheers!
Ian

Your config file had the v01, that's the reason. Now fixed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.