ACMEv1 is deprecated and you can no longer get certificates from this endpoint

can't renew Let' Encrypt Cert today. Thought ACM2 is implemented in ispconfig?
What to do, use ispconfig with centos:

ERROR MESSAGE:
###
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mailserver.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert () from /etc/letsencrypt/renewal/mailserver.conf produced an unexpected error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mailserver/fullchain.pem (failure)
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mailserver/fullchain.pem (failure)
-------------------------------------------------------------------------------

 

CentOS 7.9
yes, but realized only have /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org
other (working) server v02 is present.

 

Only if you use old ISPConfig before v2 is fixed and/or unsupported certbot as mentioned in the error log. Update both.

 

ISPConfig 3.2.5 installed on this server, and CentOS 7.9 wiht all updates.
How to uprade certbot on CentOS 7.9 manually?

 

Follow the advise in the error log.

 

would this work with ISPConfig, also after updates?
I have another server with CentOS 7.9 and ISPConfig same setup that works. This server has
"acme-v01.api.letsencrypt.org" and "acme-v02.api.letsencrypt.org" in "/etc/letsencrypt/accounts"
None of my servers has packages certbot or snapd installed with df installed. All servers build with HoToForge "Perfect Server" manual.

 

If you think that maintaining the current certbot is best for you, try deleting that website LE certs and folders via cli command "rm -rf /etc/letsencrypt/*/domain.tld*" and request a new certs via ISPConfig panel. I won't promise it will work, though, it usually would.

 

seems me to be a little bit risky to me deleting all that folders on a production machine?
Whats the way back if it fails?

 

Nope it is not. But of course as a failsafe, you should backup.

Either or, it is up to you.

 

doesn't work for me, any other suggestions or sulution?

 

thank you Till, but now I'm totally confused.
I have four CentOS with IPSConfig, three are running without any changes. Only this one has problems and doesn't switch/upgrade toacme-v02.
Can you give me an howto, because I'm noit common with this at the moment?

 

This manual? https://certbot.eff.org/lets-encrypt/centosrhel7-apache
Does this work seamless with ISPConfig?

 

thank you Till, seems to solve my problem, new Let's Encrypt cert installed. Hope that will work without further interaction?
What I didi in short:

###

# mv /opt/certbot/certbot-auto /backup/
# mv /opt/eff.org /opt/eff.org_bak

# sudo yum install snapd
# sudo systemctl enable --now snapd.socket
# sudo ln -s /var/lib/snapd/snap /snap
# sudo snap install core; sudo snap refresh core
# sudo snap install --classic certbot
# sudo certbot renew --dry-run

Go to ISPConfig - Sites and selected the site, disabled checkbox "Let's Encrypt SSL", wait and enabled it.
##

https://certbot.eff.org/lets-encrypt/centosrhel7-apache
https://snapcraft.io/docs/installing-snap-on-centos

 

one closing question:
Is the manual upgrade also mandatory for those servers that have the "acme-v02.api.letsencrypt.org" in the "/etc/letsencrypt/accounts" folder?
How can I test the acme-02 config is working correct on the other servers?

 

Test with

Code:

certbot renew --dry-run

From man certbot:

Do not run the certbot command without the --dry-run. If it writes certificates to disk it breaks the certificates ISPConfig makes.
See man for further info on -d and --force-renewal to help in testing.

 

Thank you Taleman, valuable tip!
Is it possible to force cert renewing on CLI as with legacy "certbot-auto", without breaking ISPConfig?