How to update from ACMEv1 to ACMEv2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: glidos.net

I ran this command: /usr/bin/certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/intranet.glidos.net.conf


Cert is due for renewal, auto-renewing…
Non-interactive renewal: random delay of 82 seconds
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imap.glidos.net
http-01 challenge for intranet.glidos.net
http-01 challenge for smtp.glidos.net
Using the webroot path /srv/www/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/restart-all
Error output from deploy-hook command restart-all:
AH00558: httpd-prefork: Could not reliably determine the server’s fully qualified domain name, using 10.0.0.5. Set the ā€˜ServerName’ directive globally to suppress this message


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/intranet.glidos.net/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/intranet.glidos.net/fullchain.pem (success)


My web server is (include version): Apache 2.4.33

The operating system my web server runs on is (include version): Opensuse Leap 15.1

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. Using the command line.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Using a package called python2-certbot. Version 1.0.0

My question:
I thought I’d successfully reconfigured to use ACMEv2, but I’ve just received an automated notice that I recently renewed using ACMEv1.

Files /etc/letsencrypt/cli.ini and /etc/letsencrypt/renew/intranent.glidos.net.conf both contain the line
server = https://acme-v02.api.letsencrypt.org/directory

On the other hand. /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory is a soft link to /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory, and the regr.json below that references uri’s beginning https://acme-v01.api

I’m confused. I’m not sure what is configuration and what is automatically generated, and hence what I’m allowed to edit. Possibly some of this is config from an old version and is no longer used.

1 Like

Please show the corresponding renewal file.
/etc/letsencrypt/renewal/….conf

2 Likes

Thanks for the help. Here it is:

renew_before_expiry = 30 days

version = 0.36.0
archive_dir = /etc/letsencrypt/archive/intranet.glidos.net
cert = /etc/letsencrypt/live/intranet.glidos.net/cert.pem
privkey = /etc/letsencrypt/live/intranet.glidos.net/privkey.pem
chain = /etc/letsencrypt/live/intranet.glidos.net/chain.pem
fullchain = /etc/letsencrypt/live/intranet.glidos.net/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 2d90801b4000f9ccf2ecfc7ee2335148
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 4096
webroot_path = /srv/www/htdocs,
[[webroot_map]]
imap.glidos.net = /srv/www/htdocs
intranet.glidos.net = /srv/www/htdocs
smtp.glidos.net = /srv/www/htdocs

1 Like

That seems to indicate the use of ACMEv2.

Perhaps you could test it with --dry-run
and check the logs for actual v01 or v02 connections.

Note the difference between:

nslookup acme-v01.api.letsencrypt.org
nslookup acme-v02.api.letsencrypt.org

[none - as far as DNS is concerned they are the same location - focus more on the client usage]

2 Likes

Okay, that makes sense. I just tried it, but I’m not sure what I’m looking for. There’s not a single occurrence of the string ā€œv01ā€. There are many occurrences of ā€œv02ā€, but every one within a uri. Some of those look to be within server replies, which is encouraging, but I know nothing of the differences between the two versions of the protocol, so for me there’s nothing conclusive there. I could post the results here if nothing within them are sensitve (there is an email address, but I could edit that out). Better, is there any indicator of version I can look for?

1 Like

Hi @Glidos

check that log.

If there are v02-orders, all is good.

One v01 - see https://acme-v01.api.letsencrypt.org/directory - then check that domain name.

3 Likes

Okay thanks. It looks like I’m okay.

4 Likes

I eventually found out why I was receiving warnings. I have two servers, only one in operation at any time, the other for installing new versions of the OS and then eventually to become the operational one. I have use for the secondary one at times. If it is left on then it also renews certificates, and it is currently set up to use v1. I just needed to update cron on the secondary server to disable renewal.

4 Likes

hello,
In order to support the ACMEv2 API, I updated cerbot to 0.31.0 and running sudo certbot renew --dry-run results in normal.

The sudo certbot renew --dry-run output:
root@test-A:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test-oamng.yuanruiteam.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


**** DRY RUN: simulating 'certbot renew' close to cert expiry**
**** (The test certificates below have not been saved.)**

Congratulations, all renewals succeeded. The following certs have been renewed:
**** /etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem (success)****
****** DRY RUN: simulating 'certbot renew' close to cert expiry****
****** (The test certificates above have not been saved.)****
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The certbot -- version output:
root@test-A:/# certbot --version
certbot 0.31.0

The the corresponding renewal file:
root@test-A:/# cat /etc/letsencrypt/renewal/test-oamng.yuanruiteam.com.conf

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/test-oamng.yuanruiteam.com
cert = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/cert.pem
privkey = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/privkey.pem
chain = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/chain.pem
fullchain = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
installer = nginx
account = 0c461c24f0639286f5b696e7dfc4ee41
authenticator = nginx

My question is:
I don't know if sudo certbot renew --dry-run uses ACMEv2 API, if it complies with your company's standards, how can I confirm that ACMEv2 API is used. Thank you very much

1 Like

The answer is:

[--dry-run uses the staging environment which only supports v2]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.