Some certificates use acme-v02, olds use acme-v01

lds · March 30, 2020, 10:30am

Hello

here is my config :

webserver : 1.10.3-0ubuntu0.16.04.5
certbot : 0.31.0-1+ubuntu16.04.1+certbot+1
python-acme : 0.31.0-2+ubuntu16.04.6+certbot+2

here is my problem:

I see that some certificates that I created still use acme-v01 (160 on 222 certificates)

below you have two renewal files, one using acme-v02, the other using acme-v01. I renew the certificates with ‘certbot renew’

what should i do to make all certificates use acme-v02 (Beginning June 1, 2020, letsencrypt stop allowing new domains to validate using the ACMEv1 protocol)

first exemple:
-rw-r–r-- 1 root root 676 Jan 31 13:52 renewal/lessouhesmes.pikoloco.com.conf

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/lessouhesmes.pikoloco.com
cert = /etc/letsencrypt/live/lessouhesmes.pikoloco.com/cert.pem
privkey = /etc/letsencrypt/live/lessouhesmes.pikoloco.com/privkey.pem
chain = /etc/letsencrypt/live/lessouhesmes.pikoloco.com/chain.pem
fullchain = /etc/letsencrypt/live/lessouhesmes.pikoloco.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
catalogue.lessouhesmes.pikoloco.com = /var/www/html
lessouhesmes.pikoloco.com = /var/www/html

Second exemple :
-rwxr-xr-x 1 root root 713 Mar 14 21:05 renewal/sulpissy.biblibre.com.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/sulpissy.biblibre.com/cert.pem
privkey = /etc/letsencrypt/live/sulpissy.biblibre.com/privkey.pem
chain = /etc/letsencrypt/live/sulpissy.biblibre.com/chain.pem
fullchain = /etc/letsencrypt/live/sulpissy.biblibre.com/fullchain.pem
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/sulpissy.biblibre.com

# Options and defaults used in the renewal process
[renewalparams]
authenticator = webroot
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "tls-sni-01,http-01"
[[webroot_map]]
sulpissy.biblibre.com = /var/www/html/
koha.sulpissy.biblibre.com = /var/www/html/

JuergenAuer · March 30, 2020, 10:32am

Hi @lds

update all of these definitions.

9peppe · March 30, 2020, 10:37am

you can use sed -i to do so.

https://www.gnu.org/software/sed/manual/sed.html#Command_002dLine-Options

lds · March 30, 2020, 11:40am

ok i will make this substitution as quickly as possible
Do you have any idea why some are acme-v01.api and others are acme-v01.api ?
the version of acme at the time of the creation of the certificate perhaps?

mnordhoff · March 31, 2020, 5:54am

Yes, probably. When you first created the certificates, Certbot would have used its default ACME server, and then saved it in the renewal configuration file. Even though the default has changed from acme-v01 to acme-v02 since then, it doesn't automatically switch it when renewing certificates.

You could still have forced it to use acme-v01 more recently by using a command line argument or configuration file, though.

Another sign that the sulpissy.biblibre.com certificate might have been created with an old version of Certbot is the standalone_supported_challenges setting: It was renamed to something else (--preferred-challenges on the command line, or pref_challs in the renewal files) a long time ago. Not to mention the fact that Let's Encrypt has removed the TLS-SNI-01 challenge type.

Again, it's probably still possible to set that in Certbot 0.31.0, but it would have displayed a deprecation warning, so you would probably have stopped doing so after one or two more certificates.

lds · April 21, 2020, 7:03am

Hi @JuergenAuer

I wrote this little bash script to convert the old acme-v01 entries. Does that sound right to you?

#! /usr/bin/bash

cd /etc/letsencrypt/renewal 
for i in $(grep -rl acme-v01 *.conf)
do
  echo "[CERBOT CONF] : update $i"
  sed -i 's_https://acme-v01.api.letsencrypt.org/directory_https://acme-v02.api.letsencrypt.org/directory_ ; /standalone_supported_challenges/d ; /authenticator/iwebroot_path = /var/www/html,' $i
done

9peppe · April 21, 2020, 9:41am

I am not a sed expert but it looks fine.

you can probably omit /authenticator/iwebroot_path = /var/www/html, and the -r swich on grep

lds · April 21, 2020, 1:10pm

effectively, the r in grep is totally useless in this case

I noticed ‘webroot_path = /var/www/html,’ in the certificates that I have generated in recent days. The comma at the end of’ webroot_path=/var/www/html’ is strange isn’t it?

mnordhoff · April 21, 2020, 1:30pm

Yeah. It's a comma-separated list with one item in it. I don't know why it's represented that way.

lds · April 28, 2020, 9:34am

Hello
So I modified all the configuration files.
The problem is that it does not seem to work since I still have the entry http-01 challenge in the logs despite the new configuration below

Extract log:

Processing /etc/letsencrypt/renewal/shibboleth.biblibre.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for shibboleth.biblibre.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/shibboleth.biblibre.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configuration : /etc/letsencrypt/renewal/shibboleth.biblibre.com.conf

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/shibboleth.biblibre.com/cert.pem
privkey = /etc/letsencrypt/live/shibboleth.biblibre.com/privkey.pem
chain = /etc/letsencrypt/live/shibboleth.biblibre.com/chain.pem
fullchain = /etc/letsencrypt/live/shibboleth.biblibre.com/fullchain.pem
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/shibboleth.biblibre.com

# Options and defaults used in the renewal process
[renewalparams]
authenticator = webroot
account = xxxxxxxxxxx
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
shibboleth.biblibre.com = /var/www/html/

mnordhoff · April 28, 2020, 9:40am

HTTP-01 is okay. It’s one of the validation methods, not an API version.

The standard challenge types supported – DNS-01, HTTP-01 and TLS-ALPN-01 – are the same when using the v1 or v2 APIs.

The differences between the API versions are other things.

lds · April 28, 2020, 9:50am

ok i have acme-v02. in authorizations in log
Is this enough to validate that acme-v02 is used?

“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxx”
],

mnordhoff · April 28, 2020, 9:55am

Pretty much, yes.

It’s possible there could still be corner cases – like if there is a forgotten script somewhere that uses the --server argument for some reason – but if the logs show that it’s always using the new API, it sounds like everything’s taken care of.

system · May 28, 2020, 9:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.