Update your client software to continue using Let's Encrypt

Discussion in 'General' started by vassilis3, Mar 10, 2020.

  1. vassilis3

    vassilis3 Member

    Hello,
    Yesterday I received the following email:
    How do I to fix this issue?
    thanks

    "Hi,

    According to our records, the software client you're using to get Let's
    Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
    in the past two weeks using the ACMEv1 protocol. Here are the details of one
    recent ACMEv1 request from each of your account(s):

    Client IP address: xxx.xxx.xxx.xxx

    User agent: CertbotACMEClient/0.12.0 (Debian GNU/Linux 8 (jessie)) Authenticator/webroot Installer/None

    Hostname(s): "mydomain.tld","www.mydomain.tld"

    Request time: 2020-02-27 08:00:55 UTC

    Beginning June 1, 2020, we will stop allowing new domains to validate using
    the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
    then, or certificate issuance will fail. For most people, simply upgrading to
    the latest version of your existing client will suffice. You can view the
    client list at: https://letsencrypt.org/docs/client-options/

    If you're unsure how your certificate is managed, get in touch with the
    person who installed the certificate for you. If you don't know who to
    contact, please view the help section in our community forum at
    https://community.letsencrypt.org/c/help and use the search bar to check if
    there's an existing solution for your question. If there isn't, please create
    a new topic and fill out the help template.

    ACMEv1 API deprecation details can be found in our community forum:
    https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

    As a reminder: In the future, Let's Encrypt will be performing multiple
    domain validation requests for each domain name when you issue a certificate.
    While you're working on migrating to ACMEv2, please check that your system
    configuration will not block validation requests made by new Let's Encrypt IP
    addresses, or block multiple matching requests. Per our FAQ
    (https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
    we use to validate, and this list may change at any time.

    To receive more frequent updates, subscribe to our API Announcements:
    https://community.letsencrypt.org/t/about-the-api-announcements-category

    Thank you for joining us on our mission to create a more secure and privacy-
    respecting Web!

    All the best,

    Let's Encrypt
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Recent Linux distributions and LE versions support the new protocol. But old certificate created with old protocol may continue using the Acme1. So delete the certificate and create it again, then it should be Acme2.
     
  3. vassilis3

    vassilis3 Member

    Thanks for quick reply
    Any link for HOWTo I do this ?
     
  4. Steini86

    Steini86 Active Member

    Deactivate LetsEncrypt for that domain in ispconfig.
    Use "certbot delete" to delete the cert.
    Reactivate LetsEncrypt in Ispc

    However, it could be that your certbot version is too old:
    0.12 is from 2017. Recent version is 1.3.0.
    Looks like more work for you.

    From Certbot webpage:
    Depends on how you have initially installed certbot. Could also be you have a certbot installation in /opt/eff
     
    Last edited: Mar 10, 2020
  5. vassilis3

    vassilis3 Member

    OK, thank you for your reply.
    Could you please tell me the specific order I need to follow? The certbot is under /opt/
    Do I first delete certbot, then update and finally enable?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Probably the safest order would be:
    1. Deactivate LetsEncrypt for the domain(s) in ispconfig.
    2. Use "certbot delete" to delete the cert(s).
    3. Uninstall/delete all old certbot packages and installations.
    4. Install current certbot version.
    5. Reactivate LetsEncrypt in Ispc.
     
    linus likes this.
  7. vassilis3

    vassilis3 Member

    Ηι
    today i started to fix the problem
    1. οκ
    2. "certbot delete" dosent work any help
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If your certbot doesn't support deleting certificates, you will have to manually remove all files and directories related to each domain under /etc/letsencrypt.
     
  9. vassilis3

    vassilis3 Member

    It is not clear to me exacly what I need to remove and from where Is there any link that describes exacly what I need to do?
    letsencrypt.png
     
  10. Steini86

    Steini86 Active Member

    "doesnt work" is not a valid error message. What problem are you facing when executing that command?
     
  11. vassilis3

    vassilis3 Member

    del.png
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That means there is no 'certbot' in your path; do you have /opt/eff.org/certbot/venv/bin/certbot ? If so, specify that path to certbot, and full command arguments (ie. you have to specify the certificate name you are deleting). '/opt/eff.org/certbot/venv/bin/certbot --help' should show you usage (assuming that path is correct), which is probably '/opt/eff.org/certbot/venv/bin/certbot delete -d domain.tld'.
     
  13. vassilis3

    vassilis3 Member

    11111.png
     
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I believe certbot-auto is the command that fetches and installs latest certbot on your computer. Is there a certbot now installed?
     
  15. vassilis3

    vassilis3 Member

    Good morning Taleman,
    As you have already understood I have no knowledge so I want to take small and certain steps
    I have done no action other than uncheck the SSL from this particular domain from ispconfig panel
    I would be happy if you told me what to do step by step
    Thanks
     
  16. Steini86

    Steini86 Active Member

    If you still have certbot installed, you could delete the certs with "certbot delete". If this is not installed, then deactivate Letsencrypt and SSL for your web and delete the same web in these folders:
    Code:
        /etc/letsencrypt/archive
        /etc/letsencrypt/live
        /etc/letsencrypt/renewal
    After that, install certbot and activate SSL and LetsEncrypt in ispc
     
  17. vassilis3

    vassilis3 Member

    Hi Stelni86
    Thanks for reply
    Please confirm me the following commands for delete

    cp /etc/letsencrypt/ /etc/letsencrypt.backup -r
    rm -rf /etc/letsencrypt/live/bar.example.com/
    rm -rf /etc/letsencrypt/archive/bar.example.com/
    rm /etc/letsencrypt/renewal/bar.example.com.conf

    and

    remove certbot
    sudo apt-get remove certbot

    install certbot
    wget https://dl.eff.org/certbot-auto
    sudo mv certbot-auto /usr/local/bin/certbot-auto
    sudo chown root /usr/local/bin/certbot-auto
    sudo chmod 0755 /usr/local/bin/certbot-auto

    get and install your certificates
    sudo /usr/local/bin/certbot-auto --apache

    Set up automatic renewal
    echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

    Thanks
     
  18. Steini86

    Steini86 Active Member

    correct.

    From your previous comments, it looks like you have already removed certbot.
    You have to remove certbot-auto, too! -> "rm -rf /opt/eff.org"

    The best thing would be to install the Debian package. But for that you need a newer system than jessie. (LTS support for jessie will end in June, you have to upgrade anyway). So you have to use certbot-auto. Be aware to not create any certificates with certbot-auto (will be done by ispc) and do not install any certs (will break ispc) and do not create the cronjob (will be done by ispc):

    Code:
    wget https://dl.eff.org/certbot-auto
    sudo mv certbot-auto /usr/local/bin/certbot-auto
    sudo chown root /usr/local/bin/certbot-auto
    sudo chmod 0755 /usr/local/bin/certbot-auto
    /usr/local/bin/certbot-auto --install-only
    do not select any domains, just select c to cancel. Selecting a domain will exclude them from ssl in ispconfig, that's why it is important to not select a domain and not use the apache option.
    Afterwards reactivate letsencrypt in ispc, select SSL and letsencrypt for your web

    [edit]
    Edited command for future reference according to Tills correcion
     
    Last edited: Mar 23, 2020
  19. vassilis3

    vassilis3 Member

    I followed the steps above one by one
    something goes wrong
    all sites are down
    How do I fix it?
    I 'm wondernig what I did wrong
    upload_2020-3-23_19-47-52.png
     
    Last edited: Mar 23, 2020
  20. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Remove /etc/apache2/sites-enabled/100-greekservers.com.vhost.
     

Share This Page