I don't know if sudo certbot renew --dry-run uses ACMEv2 API, if it complies with your company's standards, how can I confirm that ACMEv2 API is used

Help
1

In order to support the ACMEv2 API, I updated cerbot to 0.31.0 and running sudo certbot renew --dry-run results in normal.

The sudo certbot renew --dry-run output:
root@test-A:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/test-oamng.yuanruiteam.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem

DRY RUN: simulating 'certbot renew' close to cert expiry
(The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem (success)
DRY RUN: simulating 'certbot renew' close to cert expiry
(The test certificates above have not been saved.)

The certbot -- version output:
root@test-A:/# certbot --version
certbot 0.31.0

The the corresponding renewal file:
root@test-A:/# cat /etc/letsencrypt/renewal/test-oamng.yuanruiteam.com.conf

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/test-oamng.yuanruiteam.com
cert = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/cert.pem
privkey = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/privkey.pem
chain = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/chain.pem
fullchain = /etc/letsencrypt/live/test-oamng.yuanruiteam.com/fullchain.pem

Options used in the renewal process

[renewalparams]
installer = nginx
account = 0c461c24f0639286f5b696e7dfc4ee41
authenticator = nginx

My question is:
I don't know if sudo certbot renew --dry-run uses ACMEv2 API, if it complies with your company's standards, how can I confirm that ACMEv2 API is used. Thank you very much!!!!!

2

Here it says it used v2. As your renewal configuration file doesn't have a server variable, I guess it uses the default version, so it should indeed use version 2.

4

I updated the certificate on other servers, I also requested it( acme-staging-v02.api.letsencrypt.org).
But your company still sent me an email asking me to upgrade to v2. Why is this?

The message is as follows:
According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s)。

My question is:
Do I need to bother with the content of the email? I'm confused, thanks

5

Your setup appears to be okay now.

When did you upgrade Certbot? The email could be in reference to requests made while an older version was still in use.

6

Additional server, I did not update certbot. The cerbot version 0.22.2.
Only since I started using certbot is this version.

7

I’m not sure I understand.

If you have a server with version 0.22.2 installed, and you’re still using it, you need to upgrade.

8

OK, I upgraded certbot to 0.31.0 and executed related command verification.
Is this OK? Thank you!!!

root@CI-Server:/# certbot --version
certbot 0.31.0
root@CI-Server:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ci.yuanruiteam.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ci.yuanruiteam.com
http-01 challenge for log.yuanruiteam.com
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ci.yuanruiteam.com/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ci.yuanruiteam.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.