Hello, I am currently using ISPConfig 3.1.13p1 with certbot 1.1.0. Recently I got an email from letsencrypt stating I had just recently used my server to issue certificates still using the ACMEv1 (soon deprecated). Upon investigating my ISPConfig installation should always add the v02-url as parameter when starting certbot. In the folder /etc/letsencrypt/accounts I have the following subfolders: acme-v01.api.letsencrypt.org acme-v02.api.letsencrypt.org But in the v02-folder the subdirectory "directory" is just a symbolic link to "/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory". Now I am utterly confused what interface is effectively used and/or to what version those credentials really belong. Can you perhaps give me a hint or tell me how to find this out? Also quite interesting: how can I "migrate" the certificates from the old interface to the new one? As far I already found out this isn't possible. So how could I recreate it best with the smallest downtime? Regards Azraelo
I believe the already implemented additional code to support v02 will check your Let's Encrypt client (letsencrypt, certbot or certbot-auto) version automatically and there is no need for end user to do anything if certificates are issued via ISPConfig GUI.
I assumed the same at first but until now I only used the ISPConfig GUI for issuing certificates. And yet nevertheless I got the email from letsencrypt about using the v01-interface recently. Thus i'm back at square one and still hope for some hints.
All recent ISPConfig versions use the v2 api. It might be that you have some old certs that still use v1 on renewal.
Thanks for the feedback. I just learned the used api was stored and reused in the config files located in /etc/letsencrypt/renewal. Here i was able to determine which certificates were using the old interface. Just by changing the url from "server = *****://acme-v01.api.letsencrypt.org/directory" to "server = *****://acme-v02.api.letsencrypt.org/directory" and issuing a manual forced renew command like this: "/opt/certbot/certbot-auto renew --cert-name <certname> --force-renewal" i was able to switch. This only works as the same account seems to be used both for v01 and v02. had to exchange "https" by "*****" as i didn't have enough posts yet
That is really not neccessary and/or not advisable. You should try debugging as per the FAQ if your renewal faced any problems. Doing it via terminal might cause more problems rather than fixing it if you are not careful.
I haven't tried the mentioned procedure but I just need to confirm something i.e. renewal conf "after" your forced renewal is successful, is the "webroot part" still in there? I am asking this because that was a problem with the latest certbot / letsencrypt version which creates renewal conf without the webroot part but was fixed by ISPConfig code. Supposedly, if it is missing, the ISPConfig GUI won't detect the LE SSl and won't keep its option ticked and that was why I replied as posted earlier. But I could be wrong since my answer is based on my old memory and may not be the latest.
