Welcome to Centmin Mod Community
Become a Member

SSL Letsencrypt ACMEv1 deprecated and shutdown June 1st 2021

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dcg, Jun 16, 2021.

  1. dcg

    dcg Premium Member Premium Member

    56
    19
    8
    Oct 17, 2015
    Florida, USA
    Ratings:
    +37
    Local Time:
    11:32 PM
    1.15.x
    10.2.x
    Hello I just checked my cron email and saw the /root/.acme.sh/ jobs failing to renew domains which were initialized with ACMEv1.
    FYI: End of Life Plan for ACMEv1

    Noticed old domains were pointing to acme-v01 endpoint. Not acme-v02
    I recently created new domain with latest version of acmetool and it properly used acme-v02. Looks like domains I created back in 2017 never updated variable to point to acme-v02.

    details below and fix I applied to get renew to work

    Code:
    [Tue Jun 15 00:58:58 EDT 2021] Using config home:/root/.acme.sh
    [Tue Jun 15 00:58:58 EDT 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Jun 15 00:58:58 EDT 2021] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Tue Jun 15 00:58:58 EDT 2021] DOMAIN_PATH='/root/.acme.sh/ww2aircraft.net_ecc'
    [Tue Jun 15 00:58:58 EDT 2021] Renew: 'ww2aircraft.net'
    [Tue Jun 15 00:58:58 EDT 2021] Le_API='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jun 15 00:58:58 EDT 2021] Using config home:/root/.acme.sh
    [Tue Jun 15 00:58:58 EDT 2021] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jun 15 00:58:58 EDT 2021] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
    [Tue Jun 15 00:58:58 EDT 2021] _main_domain='ww2aircraft.net'
    [Tue Jun 15 00:58:58 EDT 2021] _alt_domains='www.ww2aircraft.net'
    [Tue Jun 15 00:58:58 EDT 2021] '/home/nginx/domains/ww2aircraft.net/public' does not contain 'dns'
    [Tue Jun 15 00:58:58 EDT 2021] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
    [Tue Jun 15 00:58:58 EDT 2021] _init api for server: https://acme-v01.api.letsencrypt.org/directory
    [Tue Jun 15 00:58:58 EDT 2021] GET
    [Tue Jun 15 00:58:58 EDT 2021] url='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jun 15 00:58:58 EDT 2021] timeout=
    [Tue Jun 15 00:58:58 EDT 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Tue Jun 15 00:58:58 EDT 2021] ret='0'
    [Tue Jun 15 00:58:58 EDT 2021] response='{
      "type": "urn:acme:error:serverInternal",
      "detail": "ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME cl                                                                                                                                                                                                                                                                           ient software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information."
    }'
    [Tue Jun 15 00:58:58 EDT 2021] ACME_KEY_CHANGE
    [Tue Jun 15 00:58:58 EDT 2021] ACME_NEW_AUTHZ
    [Tue Jun 15 00:58:58 EDT 2021] ACME_NEW_ORDER
    [Tue Jun 15 00:58:58 EDT 2021] ACME_NEW_ACCOUNT
    [Tue Jun 15 00:58:58 EDT 2021] ACME_REVOKE_CERT
    [Tue Jun 15 00:58:58 EDT 2021] ACME_AGREEMENT
    [Tue Jun 15 00:58:58 EDT 2021] ACME_NEW_NONCE
    [Tue Jun 15 00:58:58 EDT 2021] Le_NextRenewTime='1623128145'
    [Tue Jun 15 00:58:58 EDT 2021] Using CA: https://acme-v01.api.letsencrypt.org/directory
    
    grep of dir showed:
    Code:
    ww2aircraft.net/ww2aircraft.net.conf:Le_API='https://acme-v01.api.letsencrypt.org/directory'
    ww2aircraft.net/ww2aircraft.net.conf:Le_LinkCert='https://acme-v01.api.letsencrypt.org/acme/cert/'
    ww2aircraft.net/ww2aircraft.net.conf:Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert'
    ww2aircraft.net_ecc/ww2aircraft.net.conf:Le_API='https://acme-v01.api.letsencrypt.org/directory'
    ww2aircraft.net_ecc/ww2aircraft.net.conf:Le_LinkCert='https://acme-v01.api.letsencrypt.org/acme/cert/'
    ww2aircraft.net_ecc/ww2aircraft.net.conf:Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert'
    
    I ran
    Code:
    grep -rl acme-v01 . | xargs sed -i 's/acme-v01/acme-v02/'
    reran the /root/.acme.sh/ cron job

    all renewed without issue.


    br
    david
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,701
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,626
    Local Time:
    1:32 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Nice, thanks for the heads up! Will have to think about how to deal with this in an automated manner.

    It might be enough to just run acmesh-official/acme.sh
    Code (Text):
    /root/.acme.sh/acme.sh --set-default-ca  --server letsencrypt
    

    Code (Text):
    /root/.acme.sh/acme.sh --set-default-ca  --server letsencrypt
    [Wed Jun 16 08:02:45 UTC 2021] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    

    But seems, as you have mentioned, you need to update each domain's .conf file at /root/.acme.sh/domain.com/domain.com.conf has
    Code (Text):
    Le_API='https://acme-v02.api.letsencrypt.org/directory'

    AFAIK, only really need to update references in domain.com.conf to Le_API variable endpoint.
     
  3. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,701
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,626
    Local Time:
    1:32 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I think I've come up with a safer version to only update the domain.conf for each domain rather than every instance of acme-v01. This command will only update acme-v01 to acme-v02 if it is found in Le_API variable in each domain.conf

    This is a one line command
    Code (Text):
    find /root/.acme.sh/ -type f -name "*.csr" | while read f; do configname=$(echo "$f" | sed -e 's|\.csr|\.conf|g'); echo "$configname"; grep '\.api' "$configname"; echo; if [ "$(grep "Le_API='https://acme-v01.api" $configname)" ]; then echo "Update Le_API in $configname"; sed -i "s|Le_API='https:\/\/acme-v01.api|Le_API='https:\/\/acme-v02.api|" "$configname";
      grep 'Le_API=' "$configname"; echo; fi; done
    
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,947
    400
    83
    May 31, 2014
    Ratings:
    +779
    Local Time:
    6:32 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Can we get this automated on the Acme ?
     
  5. dcg

    dcg Premium Member Premium Member

    56
    19
    8
    Oct 17, 2015
    Florida, USA
    Ratings:
    +37
    Local Time:
    11:32 PM
    1.15.x
    10.2.x
    After you mentioned the default CA update I ran what you had.
    Code:
    /root/.acme.sh/acme.sh --set-default-ca  --server letsencrypt
    No issues were noticed. I think everything is fine by just changing the endpoint variables to acme-v02 in the domain configs.
     
  6. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,701
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,626
    Local Time:
    1:32 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Eventually, but for now that command I posted should work fine

    Yeah changing Le_API variable should be enough.
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,701
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,626
    Local Time:
    1:32 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    @dcg @pamamolf updated Centmin Mod 123.09beta01 addons/acmetool.sh with check fix for deprecated acme-v01.api endpoint on very old Centmin Mod Nginx domain issued Letsencrypt certificates to ensure they use v02.api Letsencrypt endpoint and that addons/acmetool.sh defaults to using Letsencrypt CA provider instead of underlying acme.sh clients new ZeroSSL defaults - see Beta Branch - acmetool.sh 1.0.74 (and previous update at Beta Branch - update addons/acmetool.sh 1.0.70 set default CA to letsencrypt in 123.09beta01)