Solution to ACMEv2 Errors since upgrade?

Since the update which happened without my authorization has caused all SSLs to fail.

I understand you want to upgrade to new standards, but why hasn’t any of the readme’s clarify a way to solve the issue, now its completely dead without a solution to upgrade.

Error 1: “Account Creation disabled for ACMEv1”

Error 2: “Please upgrade your ACME client”

Error 3: "There is an existing account; registration of a duplicate account with this command is currently unsupported

I can not get passed:

“Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f0037c576d0> and installer None
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)”

Useless link: End of Life Plan for ACMEv1

I have been using https://acme-v02.api.letsencrypt.org/directory on run for all the SSLs.

Hi @timothymarois

What update?

I believe Let’s Encrypt sent out an email announcing the depreciation of ACME v01 API, and suggested recipients to either upgrade their existing client (find developer) or switch to a client that supports ACMEv02.

Check your configuration file. It’s either you didn’t update all links, or your acme client version is outdated.

Error message 1 is trying to create accounts on old v1 endpoints, which means your client is outdated.
Error message 2 is trying to ask you to update your client. Since you still have the issue and claim there’s no way to use, I guess you didn’t do so.
Error message 3… means you are using the wrong command. You are registering a new account instead of using the old one.

Please share the following:

  1. What command did you run?
  2. What’s your certbot version (certbot --version) ?
  3. What is the full output (including the input command)?
  4. What is your system version?

P.S. I believe if you upgrade your client to a newer version, (at least for certbot) they should update the server to acme-v2 API automatically.

Thank you

1 Like

Hi,

Running command:
sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly -d mydomain.com

The certbot was updated and is currently running version 1.3.0
All my commands using the acme-v02, and with the updated certbot, why else should this fail, when running, it automatically upgraded and that’s when this error came through. I’ve been running just fine for a couple of years now.

Using on EC2 Amazon Linux with Apache.

Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1217, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 603, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 519, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 176, in register
    regr = perform_registration(acme, config, tos_cb)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 219, in perform_registration
    return acme.new_account_and_tos(newreg, tos_cb)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 829, in new_account_and_tos
    regr = self.client.register(regr)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 277, in register
    response = self._post(self.directory[new_reg], new_reg)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1174, in post
    return self._post_once(*args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1187, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1045, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Please try to run the this command: sudo ls -alR /etc/letsencrypt/accounts/

That prints out:

/etc/letsencrypt/accounts/:
total 16
drwx------ 4 root root 4096 Nov 10 22:28 .
drwxr-xr-x 9 root root 4096 Mar 26 01:51 ..
drwx------ 3 root root 4096 Nov 10 22:24 acme-v01.api.letsencrypt.org
drwx------ 3 root root 4096 Nov 10 22:28 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Nov 10 22:24 .
drwx------ 4 root root 4096 Nov 10 22:28 ..
drwx------ 2 root root 4096 Nov 10 22:24 directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 8
drwx------ 2 root root 4096 Nov 10 22:24 .
drwx------ 3 root root 4096 Nov 10 22:24 ..

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Nov 10 22:28 .
drwx------ 4 root root 4096 Nov 10 22:28 ..
drwx------ 3 root root 4096 Nov 10 22:29 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Nov 10 22:29 .
drwx------ 3 root root 4096 Nov 10 22:28 ..
drwx------ 2 root root 4096 Mar 26 01:25 76c9244b12ed94d470d0b2917ee17adf

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/76c9244b12ed94d470d0b2917ee17adf:
total 20
drwx------ 2 root root 4096 Mar 26 01:25 .
drwx------ 3 root root 4096 Nov 10 22:29 ..
-rw-r--r-- 1 root root   89 Nov 10 22:29 meta.json
-r-------- 1 root root 1632 Nov 10 22:29 private_key.json
-rw-r--r-- 1 root root   78 Mar 26 01:45 regr.json

It looks like you already have account in ACMEv2…
What would happen if you just run: sudo ./certbot-auto --debug -v certonly -d mydomain.com? Same error?

It actually seems to be working now. Using that exact command. It would crash before it even asked for the webroot, usually I press 3 for the location, after pressing 3 it was crashing, this time it allowed me to give the location and success! I have a dozen other servers, I really hope this issue isn’t going to duplicate over, I have these SSLs set to auto-renew, but they crash when the certbot needs an update, the cronjobs fail. This would be the second time they’ve failed due to updates.

Really need to be able to rely on auto-renewing, otherwise the sites crash.

Glad it worked :slight_smile: . When you are trying to issue a new certificate, you can just specify your webroot with command, -w $your-webroot, instead of letting it ask you.

Also, if you think certbot-auto might not work well for you, you are welcomed to choose other options. See https://letsencrypt.org/docs/client-options/ for more clients. You can even use the same account key for the new client.

Thanks! yeah I noticed that list earlier when I was researching a fix, and I might test other options I am more familiar with if certbot becomes a problem, but for now it has worked for the most part, just a few times it gives me some trouble with upgrade-related issues.

1 Like