Update to ACMEv2 and point to right infos to renew certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ktvs.tv

I ran this command: certbot renew --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log

It produced this output: Processing /etc/letsencrypt/renewal/www.ktvs.tv.conf

Cert is due for renewal, auto-renewing...
Attempting to renew cert from /etc/letsencrypt/renewal/www.ktvs.tv.conf produced an unexpected error: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.. Skipping.

My web server is (include version): linux debian 8 Jessie

The operating system my web server runs on is (include version): Apache

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): i don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

=============

Hello,

Thank you in advance for your help

I'm not accustomed to use servers... the certificates were installed by another person.

I manage to figure out that certs were set and used with ACMEv1 and are now unusable since v1 is out of order.

I tryied to redirect to ACME v2, and it produce this message : Processing /etc/letsencrypt/renewal/www.ktvs.tv.conf

Cert is due for renewal, auto-renewing...
Attempting to renew cert from /etc/letsencrypt/renewal/www.ktvs.tv.conf produced an unexpected error: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.. Skipping.

As certs were OK before, i assume the required infos were well set with ACMEv1.

Can you tell me how to do to make ACMEv2 point to these infos ?

Where are the infos located in the server ?

And how to have the certs renewed ?

Thank you so much

Alex

Hi @alex5959 and welcome to the LE community forum

I think you may need to update your ACME client to support the newer ACMEv2 protocol.
Which certbot version are you using?
Show:
certbot --version

Answer is : certbot 0.10.2

Thank you for your very fast reply !

There's some info on updating Certbot in this thread:

But the short of it is that Debian 8 is Just Too Old.

https://www.debian.org/News/2020/20200709

Your best bet is to upgrade to an operating system that still gets patches. Your second-best bet is to switch from certbot to some other ACME client which is easy to install on old systems (I'd suggest something from the Bash or Go sections of the client list), but keep in mind that if your system isn't getting security patches then even though you have a certificate your data and connections may be at risk from unpatched vulnerabilities.

Thank you very much Peter,

you say Debian 8 is too old, but can it still do the trick ? I ask this because we use this website only to send files to people, which don't have the need to log in or else...

So, before upgrading our server, do you think i can go on with debian 8 to get that certificate being renewed ?

I'm mainly saying that it's much more likely, if your server isn't getting security updates anymore, for it to be compromised in some way, and if that happens then whether your server has a certificate or not doesn't really matter because the attacker could manipulate what content your users received or see which user received which content.

But it certainly is possible to get a certificate from Let's Encrypt on it, but it may be difficult to do so using certbot so you'd need to use some other client. The reason it may be hard with certbot is that you're using the version provided by your operating system distribution, and like we said it isn't getting updates anymore so it's not compatible with the current (many year old now) ACME protocol. But maybe you can install a newer version using snap or pip (or from source?), though I haven't tried myself.

So, probably the easiest thing to do is to switch to a different ACME client, and in this case I'd recommend one that's easy to install (that is, it has few dependencies and one can pretty much just copy it onto the server and run it). Most things in the "Bash" and "Go" list of the client list fit into that category. Once you get a certificate with the new client, you could uninstall or disable certbot and not worry about it anymore, and then set up whatever process the new client has to have it automatically renew your certificates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.