Need help updating acme

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

good afternoon, today I tried to update the certificate and got an error that acme is outdated,but I did not find a normal manual,so I tried the commands that I could find in separate articles,I really need help with updating acme because in 3 days the mail will stop working,thank you very much in advance.

My domain is: ivanovoobl.ru
I ran this command: certbot certonly --webroot -w /var/www/html -d mail.ivanovoobl.ru

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information.
Please see the logfiles in /var/log/letsencrypt for more details.

Then I tried:

I ran this command:sudo apt-get install --only-upgrade certbot

It produced this output: I gave out that the latest version is worth it 0.10.2

next

certbot renew --apache --agree-tos --email it@ivanovoobl.ru --force-renewal --server https://acme-v02.api.letsencrypt.org/directory because I asked for registration

in response

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.ivanovoobl.ru-0003.conf

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert from /etc/letsencrypt/renewal/mail.ivanovoobl.ru-0003.conf produced an unexpected error: 'Directory field not found'. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.ivanovoobl.ru-0003/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version): Debian GNU/Linux 8 \n \l

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

contact email: hezeroid@yandex.ru

1 Like

Welcome to the community forum!

Overall, it seems your OS is too old for Certbot latest and you cannot update to a version that supports ACMEv2. Debian 8 is out of security support and you should consider updating/upgrading your host to a supported OS. Once you have upgraded your host, you can follow the relevant guide for Certbot on your new OS: Certbot Instructions | Certbot

If you need to renew your certificate sooner than you can upgrade your host, you will need to use another client that supports ACMEv2 and can be installed on your host. acme.sh is a common recommendation for this scenario.

3 Likes

Please note that acme.sh has been sold to ZeroSSL, a commercial CA, and uses the ZeroSSL ACME server by default since June if you're using the most up to date "master" version from github and not Let's Encrypt.

2 Likes

Good evening, thank you very much for your feedback, the fact is that I'm new to mail services and configuration in general. I have not come across this, but I will have to do it and I get it, in fact, an emergency. 2 days remain until the certificate expires and there is no experience and options for how to act, you cannot tell which option for replacing the client will be faster and easier because It takes a long time to figure it out, otherwise I will and fail the terms of the certificate, thanks more.

1 Like

Your problem is way beyond your certificate expiring; you're using an operating system that isn't getting security patches. Having a new certificate on it may allow you to make TLS connections but it won't actually be "secure" in any sense.

If you insist on still using that OS, you can't use the version of certbot that Debian 8 has available (even if you point it to the v2 endpoint, it doesn't know how to speak the v2 protocol). You need to either figure out how to install snap on it and use the Certbot snap (I don't know if that's even possible), or switch to another client. As Jillian says, acme.sh would probably work for you as it's "just" a shell script, though I personally haven't used it I know it has many happy users.

But really your better bet is to upgrade to a modern OS, any of which would allow for using a current version of certbot.

2 Likes

thanks for the answer, you understand the whole problem is that a mailer is running on this server on which various departments and services depend, and this is complicated by the fact that it was set up by a bunch of different people and therefore no one really knows what is heaped up there and I always act carefully. .To. then it will not be realistic to restore everything, by the end of the year we will transfer the server to Astra Linux and do everything there from scratch, and now my task is to make everything work as soon as possible, I understand you, thanks for the advice, can you tell me which client is easiest and I will be very grateful for the working manual. I’ll spend a lot of time in search of which I simply don’t, if it’s not difficult for you, I am very grateful for the help.

1 Like

If your server supports PHP, you might be able to use CertSage (a very simple ACME client I authored) to get you by for now. I'll PM you both the client and instructions.

1 Like

Thank you very much for the answer, it is possible in more detail about the second point, I didn't quite understand how to do it, and the http://yourdomain.com page does not open.
Another question how to find out if my PHP server supports? it's I'm talking about your letter
And another question I received a certificate CERTBOT CERTONLY --WEBROOT -W / VAR / WWW / HTML -D mail.ivanovoobl.ru, then restarted DoveCot and Exim services according to your way how to receive a certificate in the future will have to?
many thanks for the help)))

1 Like

Tell me another moment as in the terminal server, start the browser to go on the link or can it be done with a regular PC?

1 Like

found such an article, I believe that it is not relevant will already be, becoming

1 Like

In your last point you just need to follow the link?
I gave out after that:

CertSage
1 Like

I've updated the instructions for CertSage in the private message that I sent to you to make it easier and more specific for you.

1 Like

I did what you advised, after the point go to http://mail.ivanovoobl.ru/certsage.php after that he replied

after I tried to renew the certificate again, but the error remained with acme, maybe some service needs to be restarted?

CertSage
1 Like

It looks like there isn't permission on /var/www/html to access certsage.php.

1 Like

I did all the commands from the root, what else can I try? and more thanks for the advice and help, I really hope that tomorrow I can finally update the certificate)

at first I thought to put acme files where the mail certificates are stored / etc / letsencrypt / live, but then I decided that this was a bad idea

1 Like

Apache needs to be able to serve the files in /var/www/html . The permissions should be at least 755 on that directory.

Which files are you meaning by "acme files"?

1 Like

Apache needs to be able to serve the files in /var/www/html . The permissions on /var/www/html should be at least 755. The permissions on certsage.php should be at least 644.

1 Like

under acme files, I meant your post:
In particular, the DIRECTORY variable is where your ACME account data as well as your certificate and its private key will be stored.

1 Like

decided to move it to the home / user directory so that there were no jambs, gave 755 rights and went to the address again http://mail.ivanovoobl.ru/certsage.php
after that he issued

404 Not Found

Not Found

The requested URL /certsage.php was not found on this server.


Apache/2.4.10 (Debian) Server at mail.ivanovoobl.ru Port 80

I registered a new path in the cersage.php file

1 Like

I'm still seeing 403 Forbidden.

1 Like