Manual certificate renewal failing - DNS challenge

Trancelot · June 29, 2021, 4:55pm

Hi All,

I'm trying to perform a manual certificate renewal from a RHEL6 host (DNS challenge) to generate a certificate that can be loaded onto our firewall. The current certificate has expired today

Renewal seems to be running against ACMEv1 endpoint, and unable to change to V2.

When using --server https://acme-v02.api.letsencrypt.org/directory option, returns:
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/messages.py", line 205, in getitem
raise KeyError('Directory field not found').

Would appreciate any help in resolving!

My domain is: vpn.ooba.co.za

I ran this command:
'--no-self-upgrade', '-d', 'vpn.ooba.co.za', '--manual', '--preferred-challenges', 'dns', '-d', 'vpn.ooba.co.za', '--csr', '/root/certbot/vpn.ooba.co.za/vpn.ooba.co.za.csr', '--agree-tos', '--email', 'x_x_x@ooba.co.za', '--cert-path', '/root/certbot/vpn.ooba.co.za/vpn.ooba.co.za.crt', '--fullchain-path', '/root/certbot/vpn.ooba.co.za/fullchain.crt', '--chain-path', '/root/certbot/vpn.ooba.co.za/chain.crt'

It produced this output:
The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information.

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.19.0 (certbot-auto)

rg305 · June 29, 2021, 5:13pm

Hi @Trancelot, and welcome to the LE community forum

I think you may need to update the client (to support ACMEv2).

petercooperjr · June 30, 2021, 9:05pm

Yes, you need to update certbot. It's not enough to just point to the v02 API endpoint, it actually needs to speak the v02 protocol.

There's more information on upgrading certbot in this thread:

However, it may be tricky to install on an out-of-support system like RHEL 6. Really, having certificates is the least of your worries, as your system is old enough that it's no longer getting security updates.

Trancelot · July 14, 2021, 8:43am

Hi All,
Thanks for the input.

We've spun up a new machine with a more recent version of RHEL and have been able to successfully renew certs using this one. Assumed that this would be the solution, but needed input in case I was missing something.

Chat soon!

rg305 · July 15, 2021, 12:02am

It seems that you now have all that you need for this.

system · August 14, 2021, 12:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to renew expired certificate Help	10	1070	March 3, 2019
Certificate renewal is failing with DNS Challenge Help	20	2081	March 17, 2022
Certificate renewal failed using manual DNS challenge Help	16	2032	August 11, 2023
Certbot with auto-renewal within VPN Help	5	67	September 28, 2024
FAILURE of renewal due to DNS problem Help	9	1872	April 15, 2022

Manual certificate renewal failing - DNS challenge

Related topics