Update your client software to continue using Let's Encrypt

Hello Team,

We got e-mail that we need to upgrade ACMEv1 to ACMEv2. We are using ubuntu 16.04/18.04. We tried to find out the method and visit some article but no success.

Can you please help us how we can upgrade our ACMEv1 protocol to ACMEv2?

We have upgraded our certbot to version 0.31 but still showing acme-v01.api.letsencrypt.org folder in /etc/letsencrypt folder. But we are assuming it should be acme-v02
Below are the version of certbot and python3-acme:

xyz@abc:/etc/letsencrypt/accounts# certbot --version
certbot 0.31.0
xyz@abc:/etc/letsencrypt/accounts# dpkg -l python3-acme
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                             Version               Architecture          Description
+++-================================-=====================-=====================-=====================================================================
ii  python3-acme                     0.31.0-2+ubuntu18.04. all                   ACME protocol library for Python 3

Any help or guidance will be appriciated.

Thanks.

If you run a:

grep -R acme-v01 /etc/letsencrypt/

Does it come up with one or more server directives in configuration files? It could be /etc/letsencrypt/cli.ini itself, but could also be hardcoded in renewal configuration files.

I think its best not to hardcode the server option when only Let’s Encrypt ACME server is used in combination with certbot, as certbot uses LE by default. Only if you have some sort of test domain only using the staging server, I can understand you’d want to hardcode that. But if you’re just using the default production ACME server, don’t hardcode it anywhere.

Where? If you mean in /etc/letsencrypt/accounts/, that’s normal. :slightly_smiling_face: Certbot just doesn’t delete the acme-v01.api.letsencrypt.org account files. When you first interact with the ACMEv2 API, it will create an acme-v02.api.letsencrypt.org directory and copy or symlink your Let’s Encrypt account data to it.

@mnordhoff, Thank you for your response.

Can you please help me how we can verify that our certbot will use ACMEv2? Like in dry-run we can check it or not or any other method?

So we can provide evidence to our higher management. We already shared the version of my certobot and python3-acme in first post.

Thanks.

@Osiris,

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/17200e4d2e5e8008c5d231590c0a1e4e/regr.json:{[redacted]}

Can you please help me how we can verify that certbot will user ACMEv2?

Thanks.

I edited your post to remove the contents of the file because I’m not sure if they’re sensitive.

If the key in the file is the public key, that’s fine.

If it’s the private key, that is extremely bad.

@mnordhoff, Thanks.

Now when i run dry run for my one staging domain and check the logs its seems certbot is using ACMEv2 protocol. Below are the some logs:

Server: nginx
Date: Fri, 17 Jan 2020 07:19:23 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 3563
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

If you confirm same then it will be good for me.

Thanks.

is that mean while we can’t make new account by acme v1, but still use account created by acmev2 on acmev1 only client?

The restriction is on the protocol version itself but the backend data store is shared, I guess.

I’ve got a similar issue to the OP, having had a warning email about this.

grep -R acme-v01 /etc/letsencrypt/

shows:

/etc/letsencrypt/renewal/unifi.bakerbates.com.conf:server = https://acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/b2efdc9d....118df40c0e/regr.json:{"body": {}, "uri": "https://acme-v01.api.letsencrypt.org/acme/reg/61974310", "new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz"}

I’m running certbot 0.28.0 on Debian 9.

What do I need to do to switch to API 2.0?

EDIT: Having read up some more on this, it seems that compatible clients will simply switch to v2.0 automatically. The fact that I haven’t makes me think it’s because our outgoing proxy is preventing certbot accessing acme-v02.api.letsencrypt.org. Allowing this might solve my problem but so far I’m not having any luck.