Acme migration v01 to v02

Discussion in 'Installation/Configuration' started by Azraelo, Jan 25, 2020.

  1. Azraelo

    Azraelo New Member

    Hello,
    I am currently using ISPConfig 3.1.13p1 with certbot 1.1.0.
    Recently I got an email from letsencrypt stating I had just recently used my server to issue certificates still using the ACMEv1 (soon deprecated).
    Upon investigating my ISPConfig installation should always add the v02-url as parameter when starting certbot.
    In the folder /etc/letsencrypt/accounts I have the following subfolders:
    • acme-v01.api.letsencrypt.org
    • acme-v02.api.letsencrypt.org
    But in the v02-folder the subdirectory "directory" is just a symbolic link to "/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory".
    Now I am utterly confused what interface is effectively used and/or to what version those credentials really belong.
    Can you perhaps give me a hint or tell me how to find this out?
    Also quite interesting: how can I "migrate" the certificates from the old interface to the new one? As far I already found out this isn't possible. So how could I recreate it best with the smallest downtime?

    Regards
    Azraelo
     
  2. ahrasis

    ahrasis Well-Known Member

    I believe the already implemented additional code to support v02 will check your Let's Encrypt client (letsencrypt, certbot or certbot-auto) version automatically and there is no need for end user to do anything if certificates are issued via ISPConfig GUI.
     
  3. Azraelo

    Azraelo New Member

    I assumed the same at first but until now I only used the ISPConfig GUI for issuing certificates.
    And yet nevertheless I got the email from letsencrypt about using the v01-interface recently.
    Thus i'm back at square one and still hope for some hints.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    All recent ISPConfig versions use the v2 api. It might be that you have some old certs that still use v1 on renewal.
     
  5. Azraelo

    Azraelo New Member

    Thanks for the feedback.
    I just learned the used api was stored and reused in the config files located in /etc/letsencrypt/renewal.
    Here i was able to determine which certificates were using the old interface.
    Just by changing the url from "server = *****://acme-v01.api.letsencrypt.org/directory" to "server = *****://acme-v02.api.letsencrypt.org/directory" and issuing a manual forced renew command like this: "/opt/certbot/certbot-auto renew --cert-name <certname> --force-renewal" i was able to switch.
    This only works as the same account seems to be used both for v01 and v02.

    had to exchange "https" by "*****" as i didn't have enough posts yet :)
     
    till likes this.
  6. ahrasis

    ahrasis Well-Known Member

    That is really not neccessary and/or not advisable. You should try debugging as per the FAQ if your renewal faced any problems. Doing it via terminal might cause more problems rather than fixing it if you are not careful.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    In my opinion, the procedure he used should be ok.
     
    Th0m likes this.
  8. ahrasis

    ahrasis Well-Known Member

    I haven't tried the mentioned procedure but I just need to confirm something i.e. renewal conf "after" your forced renewal is successful, is the "webroot part" still in there?

    I am asking this because that was a problem with the latest certbot / letsencrypt version which creates renewal conf without the webroot part but was fixed by ISPConfig code.

    Supposedly, if it is missing, the ISPConfig GUI won't detect the LE SSl and won't keep its option ticked and that was why I replied as posted earlier.

    But I could be wrong since my answer is based on my old memory and may not be the latest.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    It does not matter for recent ISPConfig versions if a webroot map exists or not in renewal conf.
     
    ahrasis likes this.

Share This Page