Wrong client version detected?

I just received this email:

According to our records, your Let's Encrypt software client renewed a
TLS/SSL certificate recently using the ACMEv1 protocol. Here are the details
of one recent ACMEv1 request from each of your account(s):

User agent:  Crypt::LE v0.28

However when I remote into our server and run the LE64.exe program directly, I get this:

ZeroSSL Crypt::LE client v0.35

So why is the email detecting the version wrong?
@leader

This looks rather strange indeed (if the email is genuine and not a phishing attempt for instance). Presumably the detection on LE side is based on the User-Agent header, which for Crypt-LE requests is always set by default to "Crypt::LE v..." corresponding to the actual library version. The Perl client can be easily modified to override that, but Windows binaries have the default basically, so I would expect it to be "Crypt::LE v0.35" in your case (the recent version is 0.37 btw). So the most plausible explanations might be that either there is some older version also running somewhere or when that email is generated, it takes the ID of the agent the first issuance was done with for example.

So who is in charge of the email alert system from the LE folks? Perhaps they need to examine their code to see if they are using a stored value instead of querying it each time. The email headers look authentic to me, and the link brought me to this Help forum, so I'm thinking the message is legit. Plus I don't have another version anywhere else on the server. I'll scan the binary for an earlier version string just in case, maybe the compilation wasn't done right.

EDIT: nope, no old version numbers in the binary. So I'm stumped on this one. I'll upgrade to the latest I guess and just start ignoring those emails.

EDIT2: unless someone else in the company is using that client and somehow I'm the one getting the notices?! I'm not sure how the email is configured to send alerts like that from the CA.

Hi @mushu

that's not the critical problem.

Critical:

ACME v1 is deprecated, support ends.

So you should switch to the ACME v2 protocol.

I don't know how that client works.

Check, if there is somewhere acme-v01.api.letsencrypt.org or something like that in your config file.

Update to acme-v02.api.letsencrypt.org.

Figured it out, thanks everyone for your help!

It was an old Old OLD test version from back in 2017 on another server set up to run as a task but it actually did nothing as far as I can tell, it simply contacted the CA. At any rate I've archived the installation there and disabled the task so this shouldn't happen again.

Good grief.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.