Manual certificate renewal failing - DNS challenge

Hi All,

I'm trying to perform a manual certificate renewal from a RHEL6 host (DNS challenge) to generate a certificate that can be loaded onto our firewall. The current certificate has expired today

Renewal seems to be running against ACMEv1 endpoint, and unable to change to V2.

When using --server https://acme-v02.api.letsencrypt.org/directory option, returns:
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/messages.py", line 205, in getitem
raise KeyError('Directory field not found').

Would appreciate any help in resolving!

My domain is: vpn.ooba.co.za

I ran this command:
'--no-self-upgrade', '-d', 'vpn.ooba.co.za', '--manual', '--preferred-challenges', 'dns', '-d', 'vpn.ooba.co.za', '--csr', '/root/certbot/vpn.ooba.co.za/vpn.ooba.co.za.csr', '--agree-tos', '--email', 'x_x_x@ooba.co.za', '--cert-path', '/root/certbot/vpn.ooba.co.za/vpn.ooba.co.za.crt', '--fullchain-path', '/root/certbot/vpn.ooba.co.za/fullchain.crt', '--chain-path', '/root/certbot/vpn.ooba.co.za/chain.crt'

It produced this output:
The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information.

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.19.0 (certbot-auto)

2 Likes

Hi @Trancelot, and welcome to the LE community forum :slight_smile:

I think you may need to update the client (to support ACMEv2).

5 Likes

Yes, you need to update certbot. It's not enough to just point to the v02 API endpoint, it actually needs to speak the v02 protocol.

There's more information on upgrading certbot in this thread:

However, it may be tricky to install on an out-of-support system like RHEL 6. Really, having certificates is the least of your worries, as your system is old enough that it's no longer getting security updates.

3 Likes

Hi All,
Thanks for the input.

We've spun up a new machine with a more recent version of RHEL and have been able to successfully renew certs using this one. Assumed that this would be the solution, but needed input in case I was missing something.

Chat soon!

4 Likes

It seems that you now have all that you need for this.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.