Got email telling me to update to ACME v2 despite recent certbot

Hi!

I recently received an email notifying me that the software client I’m using renewed at least one certificate in the past two weeks using the ACMEv1 protocol.

User agent: CertbotACMEClient/0.31.0 (certbot; Ubuntu 16.04.6 LTS) Authenticator/apache Installer/apache (renew; flags: n) Py/3.5.2
Request time: 2020-02-03 15:29:56 UTC

However, when running “certbot renew --dry-run -v”, I can see the following output:

Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org

… which seems to show that my version of certbot is using ACMEv2, right? And if that is the case, why did the actual renewal happen via v1? Is there anything I should do to avoid this?

My domain is: chroniquesgalactica.org
My web server is (include version): Apache/2.4.18 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 16.04.6
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @aurelc2g

check your protocol you should find under

 /var/log/letsencrypt/letsencrypt.log

If there is an acme-01 - order, use the --server option to switch to v2.

I do indeed see acme-01 in the logs. How come the dry-run I just tried used v2, but the actual run used v1? Do I have to explicitly provide the --server option to force using v2? I had assumed that recent enough versions of certbot would automatically prefer v2.

I don’t know, I’ve never used v1.

Additional: Check your config files, if there is a hard coded server = v1 …

You may have an information in your config files you have to find and to change.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.