I have a production server that I am getting emails about updating my client to stop using ACMEv1. This is a CentOs7 production box with many sites on it so I must make sure to do this properly to avoid any downtime issues. The email I get says this about the user agent: User agent: CertbotACMEClient/0.13.0 (CentOS Linux 7 (Core)) Authenticator/webroot Installer/None Upon inspecting the server it looks like I may have downloaded and configured Lets Encrypt outside of an RPM around 4/13/2017... for some reason it seems to reside in "/root/.local/share/letsencrypt". How can I upgrade my letsencrypt making sure nothing breaks? I made sure ISPConfig was updated recently thinking that may just fix it but it didn't seem to. Any advice/help is greatly appreciated in advance ( I have searched for answers to this but didn't find anything definitive ). Thank you
Hi mikerogers, do you use wildcard certs with dns challenge or are you using the ISPConfig integrated version? Where is your certbot installed? And which version of certbot are you using? Are you on the latest ISPConfig? What does the log say? Could you please provide some more infos, otherwise it is quite impossible to help. Greetings, piccolo
Yep, I found a few things that look promising but I want to be 100% sure I don't break things. Admittedly, I don't know a lot about how Lets Encrypt works and how it works with ISPconfig, and since I think I downloaded it and built it outside of an RPM ( maybe? - it's been 3+ years.. ) I'm not sure if I just download/build a new version that ISPconfig will find it and use it properly?
I don't use Wildcart certs or DNS challenge at all. I ONLY use the ISPconfig interface for certs. See the OP but I must have downloaded and built this about 3 years ago and it seems to reside in "/root/.local/share/letsencrypt". That seems very odd to me and my memory is crap so I have no clue how I did this 3 years ago. Also per the OP, I upgraded ISPconfig to the latest version thinking it may just start using V2 itself if I did but that doesn't seem to be the case from what I can tell. Here is the first page of the log - I see warnings about updating, of course: Code: 2020-06-05 07:12:30,790:DEBUG:certbot.log:Root logging level set at 20 2020-06-05 07:12:30,790:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2020-06-05 07:12:30,790:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or u sing native OS packages. 2020-06-05 07:12:30,790:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsenc rypt / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'XDG_RUNTIME_DIR': '/run/user/0', 'SHLVL': '3', 'PWD': '/usr/local/i spconfig/server', 'LOGNAME': 'root', 'USER': 'root', 'HOME': '/root', 'PATH': '/sbin:/usr/sbin:/bin:/usr/bin:/usr/local /sbin:/usr/local/bin:/usr/X11R6/bin', 'XDG_SESSION_ID': '4673939', '_': '/root/.local/share/letsencrypt/bin/letsencrypt '} 2020-06-05 07:12:30,790:DEBUG:certbot.main:certbot version: 0.13.0 2020-06-05 07:12:30,790:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2020-06-05 07:12:30,790:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#nginx,PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null) 2020-06-05 07:12:30,805:INFO:certbot.renewal:Cert not yet due for renewal 2020-06-05 07:12:30,812:INFO:certbot.renewal:Cert not yet due for renewal 2020-06-05 07:12:30,817:INFO:certbot.renewal:Cert not yet due for renewal 2020-06-05 07:12:30,823:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-03-30 08:06:17 UTC. 2020-06-05 07:12:30,823:INFO:certbot.renewal:Cert is due for renewal, auto-renewing... 2020-06-05 07:12:30,851:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2020-06-05 07:12:30,856:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot.plugins.webroot:Authenticator Initialized: <certbot.plugins.webroot.Authenticator object at 0x3f93dd0> Prep: True 2020-06-05 07:12:30,856:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x3f93dd0> and installer None 2020-06-05 07:12:30,861:DEBUG:certbot.main:Picked account: <Account(3d4a93c96cb9821a200f768053700f5c)> 2020-06-05 07:12:30,861:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. 2020-06-05 07:12:30,867:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2020-06-05 07:12:31,144:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658 2020-06-05 07:12:31,145:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Fri, 05 Jun 2020 07:12:31 GMT Content-Type: application/json Content-Length: 658 Connection: keep-alive Cache-Control: public, max-age=0, no-cache Replay-Nonce: 0102NywBaMlYr8ywVEfMi7Vz-qIoHlAAhI4fR-oZuUtrSgk X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "kfJ3bXUr0bI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", [/CODE}
I think, if you do not trust letsencrypt official client certbot or find it difficult to use or update etc, basically you can just remove it. This is because ISPConfig already have a script to automatically install acme.sh and use it in case it does not find certbot; and acme.sh has the capability to self-update via its cron job. I still prefer to use certbot, though I use it via certbot-auto as a change, meaning though some say it is not necessary to replace certbot, I properly remove certbot and download certbot-auto to replace it; as it also has auto update feature like acme.sh. However, I did symlink that certbot-auto script to certbot in bin directory as I wish to shorten its CLI command for easy usage, though it is unnecesary since ISPConfig can already detect and use it.
It has nothing to do with trusting the official client - I don't care what I have to do... I just want to update it so that it 1) Supports AcmeV2 and 2) Doesn't cause me any downtime. I just don't know how to do that when it's located in the weird spot it seems to be in? If possible I'd rather remove the one I have and download the one via "yum" if possible to make it easier to keep/update etc. BUT again, I don't want to break anything and I'm afraid to do it since this is a production box with dozens of sites.
We are all here just to opine some solution, trying to help, but at the end, it is up to you to understand and help yourself, because running a server do need some good level of knowledge, understanding and experience anyway. If you wish things to be "perfect", I'd say you better hire ISPConfig experts to help, not posting in free board and expect a detail amd perfect guide because we are only here as a community helpers and most of us are no experts.
I appreciate the help, I typically like to do things myself when I can and am just looking for some advice on the proper way to do it. I'm not looking for a free handout etc. Not that it makes a difference but I purchased the ISPConfig manuals quite a long time ago but just showing that I'm not looking for someone to do it free just help and advice to do it in the best way possible. Thanks again for any suggestions you had above... to clarify are you saying that I should be able to just install a new version of certbot with say "yum install certbot" then how would I tell ISPConfig to use this new version VS the old one? I'm not seeing anything in the ISPconfig telling it where the new letsencrypt commands live (maybe I'm just missing that somewhere)?
Yes, just install a new version. See: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/master/server/lib/classes/letsencrypt.inc.php ISPconfig uses this to determine the certbot path. You can execute it by yourself and see if the right path is found: Code: which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot If "letsencrypt" or "certbot" command is in path variables, everything should be fine. The official version (https://certbot.eff.org/) is to Code: wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto certbot-auto will autoupdate in the future. (I am not using it myself, that is just what the website tells..)
What I tried to explain earlier when I said my way is I remove certbot and install certbot-auto is because of my understanding of this code i.e. if you still have certbot, it will use that first and not certbot-auto as it is last option in line. I find that I will have one certbot and one certbot-auto if I don't do that so it won't do as I need the latest version. I believe it is always good to check installed LE certbot client that you have before proceeding with certbot-auto install then remove it if you want to use the latest version otherwise you might be still using the old one. By the way, I really don't know RHEL or Centos well though I used them 10 years ago but from what I know their repo may not be up-to-date if compared to Debian or Ubuntu or their PPA repo. Because of that, I do not recommend yum install certbot but yum remove certbot and install certbot-auto if your distro version is supported by it (I say this because some newer distro like Ubuntu 20.04 is not yet supported by it).
