SOLVED: certbot-auto Certbot will no longer receive updates.

Discussion in 'Installation/Configuration' started by DarioL, Jan 6, 2021.

  1. DarioL

    DarioL Member

    Hello, I have try to update certbot-auto on some Centos 7 servers but I have get this error on all servers:
    Code:
    [root@s-ispc certbot]# ./certbot-auto --version
    Upgrading certbot-auto 1.3.0 to 1.11.0...
    Replacing certbot-auto...
    Your system is not supported by certbot-auto anymore.
    Certbot will no longer receive updates.
    Please visit https://certbot.eff.org/ to check for other alternatives.
    certbot 1.3.0
    I have try to reinstall follow the steps from howto perfect server centos7 but the error is the same.
    Someone have some suggest to update certbot-auto?
    Many thanks.
    Dario
     
  2. DarioL

    DarioL Member

    i saw that it is also possible to install certbot via yum
    Code:
    yum install certbot
    and remove /opt/certbot/certbot-auto
    My question is: I can do that?
    ispconfig It still works?
    Thanks for reply.
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    ISPConfig 3.2 already officially made acme.sh the main LE client, as it is more reliable according to the developers. May be you shouldn't be using certbot-auto or certbot at all and should try acme.sh instead, to work in its place?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should use certbot-auto. Is your OS up to date?

    You could also switch to acme.sh, like @ahrasis mentioned.
     
  6. DarioL

    DarioL Member

    Yes, my OS is up to date
    Then, ispconfig what command use? acme.sh, /opt/certbot/certbot-auto or certbot?
    Where I find the acme.sh shell command? (https://github.com/acmesh-official/acme.sh) ?
    And howto install it for ispconfig?
    Thanks for reply.
    Dario
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Delete current LE SSL certs for your server then update (or force update) your ISPConfig while during the update say yes to secure your server with new LE SSL certs. ISPConfig 3.2 is already packaged with acme.sh.
     
  8. DarioL

    DarioL Member

    I have do an update of ISPConfig to 3.2.2 but I do not find any acme.sh into ISPConfig
    Code:
    [root@mcs01 ~]# find /usr/local/ispconfig | grep acme.sh
    [root@mcs01 ~]# 
    What is the exact procedure to migrate from certbot to acme.sh ?
    Many thanks for reply
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

     
  10. DarioL

    DarioL Member

    Sorry, but how you can see:
    Code:
    [root@mcs01 tmp]# wget -q https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz -O-|tar tfz -| grep acme
    ispconfig3_install/interface/acme/
    ispconfig3_install/interface/acme/.well-known/
    ispconfig3_install/interface/acme/.well-known/acme-challenge/
    ispconfig3_install/interface/acme/.well-known/acme-challenge/empty.dir
    ispconfig3_install/install/tpl/nginx_acme.vhost.master
    ispconfig3_install/install/tpl/apache_acme.conf.master
    
    acme.sh it's not into ISPConfig 3.2.2 (last) package
    What is the best way to resolve my issue?
    Many thanks
     
  11. DarioL

    DarioL Member

    I have try install acme.sh with this command:
    Code:
    curl https://get.acme.sh | sh -s
    then I have restart the server.
    Now, if I enable ISPConfig debug I can see this messages when I enable LE on a new site and run /usr/local/ispconfig/server/server.sh from root shell:
    Code:
    27.01.2021-17:12 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web54' - return code: 0
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    27.01.2021-17:13 - WARNING - Could not verify domain testle.mydomain.com, so excluding it from letsencrypt request.
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    27.01.2021-17:13 - WARNING - Let's Encrypt SSL Cert for: testle.mydomain.com could not be issued.
    27.01.2021-17:13 - WARNING -
    
    If I try run acme.sh from shell I get this:
    Code:
    [root@mcs01 ~]# acme.sh --version
    https://github.com/acmesh-official/acme.sh
    v2.8.9
    [root@mcs01 ~]# type acme.sh
    acme.sh is aliased to `/root/.acme.sh/acme.sh'
    
    Do you have some suggest to resolve my issue?
    Many thanks
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is automatically installed when installing ISPConfig and if certbot is not found.
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    ISPConfig does not ship with a copy of acme.sh, it has code to install the lastest version from get.acme.sh.

    That seems to be output from which(1) on centos that doesn't appear on debian, which is simply silent about nonexistent filenames. I would suspect it's harmless, but what do you get from running 'which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh' ? Also is /bin/sh actually bash or another shell?
     
  14. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    This is probably the real issue preventing a certificate from issuing; go through the letsencrypt error faq for the reasons this happens.
     
  15. DarioL

    DarioL Member

    Ok, thanks
    ISPConfig is already installed on this server, what I can do in this case?
    I have do this step.
    a) Remove old /opt/certbot and /opt/eff.org
    b) Run /usr/local/ispconfig/server/scripts/ispconfig_update.sh --force [1]
    Then I have try to re enable LE on test site and run /usr/local/ispconfig/server/server.sh via line command
    At this point I have see this god news:
    Code:
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    which: no acme.sh in (/root/.acme.sh)
    which: no letsencrypt in (/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin)
    which: no certbot in (/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no certbot in (/opt/eff.org/certbot/venv/bin)
    --2021-01-27 17:38:01--  https://get.acme.sh/
    Risoluzione di get.acme.sh (get.acme.sh)... 104.21.34.62, 172.67.199.16, 2606:4700:3031::ac43:c710, ...
    Connessione a get.acme.sh (get.acme.sh)|104.21.34.62|:443... connesso.
    Richiesta HTTP inviata, in attesa di risposta... 200 OK
    Lunghezza: non specificato [text/html]
    Salvataggio in: "STDOUT"
    ...
    
    but after some second I get thi bad message:
    Code:
    ....
        [ <=>                                                                                                                 ] 775         --.-K/s   in 0s
    2021-01-27 17:38:01 (7,04 MB/s) - scritto su stdout [775]
    27.01.2021-17:39 - WARNING - Could not verify domain testle.mycloudster.com, so excluding it from letsencrypt request.
    which: no letsencrypt in (/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin)
    which: no certbot in (/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin)
    which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
    which: no certbot in (/opt/eff.org/certbot/venv/bin)
    which: no acme.sh in (/usr/local/ispconfig/server/scripts)
    27.01.2021-17:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 1
    27.01.2021-17:39 - DEBUG - safe_exec cmd: which 'apachectl' 2> /dev/null - return code: 0
    27.01.2021-17:39 - WARNING - Let's Encrypt SSL Cert for: testle.mydomain.com could not be issued.
    27.01.2021-17:39 - WARNING -
    ....
    Whats is wrong at this point?
    Thanks for reply
    Dario


    [1] output
    Code:
    >> Update
    Operating System: CentOS 7.9
    This application will update ISPConfig 3 on your server.
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.FSkD5J8zTr/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]:
    Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:
    Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:
    Create new ISPConfig SSL certificate (yes,no) [no]: no
    Reconfigure Crontab? (yes,no) [yes]: no
    Restarting services ...
    Update finished.
    
     
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Still the same:
     
  17. DarioL

    DarioL Member

    Thank Jesse, in this link I have found the solution:
    I have enable this flag and now LE via acme.sh work great.
    Many thanks.
    Dario
     
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry. This is what I had in mind but said it wrongly.
    Great.
     
  19. DarioL

    DarioL Member

    Another little question:
    Now that certbot is gone, How to setup into acme.sh a technical email address like certbot?
    Sometime LE send to me useful warning email about updates or expire old domains
    Now, since acme.sh is installed from ISPConfig setup, there is not a question for a email address
    Let me know what is the best way to add this technical email address
    Thanks
    Dario
     
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Actually I already suggested this address to be added during the creation of ssl on ISP Config install or update because there is a bug if added later.

    Meaning it works if you use acme.sh --install --accountemail <email address> but not fully if you use command acme.sh --update-account --accountemail <email address> as reported at: https://github.com/acmesh-official/acme.sh/issues/1074
     

Share This Page