Troubleshooting a Certbot installation that continues to use ACMEv1

Let's Encrypt is in the process of shutting down their ACMEv1 endpoint as described at End of Life Plan for ACMEv1. The vast majority of Certbot users have already transitioned off of ACMEv1 and do not have do anything; however, if your Certbot install is continuing to use ACMEv1, this post is for you.

Step 1: Ensure you have an updated version of Certbot

The easiest way to do this is to follow the installation instructions at Certbot - Certbot Instructions.

In particular, you want to make sure you have Certbot 1.6.0+ or an OS package that has had the changes from Certbot 1.6.0 backported to it. The following python3-certbot packages have backported fixes and can be used instead of Certbot 1.6.0 if desired:

Distribution Minimum fixed version
Ubuntu 18.04 (Bionic) 0.27.0-1~ubuntu18.04.2
Ubuntu 20.04 (Focal) 0.40.0-1ubuntu0.1
Debian 9 (Stretch) 0.28.0-1~deb9u3
Debian 10 (Buster) 0.31.0-1+deb10u1 (this package will be released in February)
Deprecated Certbot PPA 0.31.0-2~deb10u1+ubuntuXX.04.1+certbot+3

If you installed Certbot through one of these sources, make sure your package is up-to-date. You can check your installed version with a command like dpkg-query -l python3-certbot.

If you installed Certbot through another source and certbot --version outputs a version number older than 1.6.0, you'll need to find a different way to install Certbot. I'd recommend checking out the link above.

Step 2: Make sure you're not explicitly requesting ACMEv1

It is unlikely that many people did this. However, I'm documenting this just in case for completeness. If you're explicitly requesting Certbot use ACMEv1, you need to stop doing that in order for it to switch to ACMEv2.

First, if you have any scripts, cron jobs, systemd services, etc. running Certbot, make sure they are not setting the --server command line option.

Second, make sure that the server option is not set in Certbot's configuration files. You can check for this by running the following two commands:

grep -l "server.*acme-v01" ${XDG_CONFIG_HOME-~/.config}/letsencrypt/cli.ini 2>/dev/null
sudo sh -c 'grep -l "server.*acme-v01" /etc/letsencrypt/cli.ini ${XDG_CONFIG_HOME-~/.config}/letsencrypt/cli.ini 2>/dev/null'

If either command outputs a filename, you should update that file to stop specifying the ACMEv1 server.

Step 3: Ask for help if you continue to use ACMEv1

If after following these steps you continue to receive emails from Let's Encrypt for using ACMEv1 or are being affected by ACMEv1 brownouts, create a new thread to ask for help.

9 Likes

Have this :cake:
Since I can't LIKE your post :frowning:

image

2 Likes

@bmw For my understanding: if a renewal configuration file has the ACMEv1 URI set, will renewing with certbot >=1.6.0 or <1.6.0 with backported fix automatically use ACMEv2? And not just for new certificates?

3 Likes

Yes, renewing with certbot >= 1.6.0 or a package mentioned above with backported fixes will use ACMEv2 for renewal even if the renewal configuration file specifies the server as ACMEv1.

This behavior is what was added in Certbot 1.6.0 and backported. If you're curious, you can read more about this change at Automatically fix ancient Certbot renewal configs · Issue #7979 · certbot/certbot · GitHub and the linked issue and pull request.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.