Ubuntu+18.04.3+ISPConfig3.1.15p2+certbot027.0 need upgrade [SOLVED]

I have installed Certbot by this instruction:
https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/
Ubuntu 18.04
Command: apt-get -y install certbot
certbot --version = certbot 0.27.0
python3-certbot/bionic-updates,bionic-updates,bionic-updates,bionic-updates,now 0.27.0-1~ubuntu18.04.1 all [installed,automatic]
I need to upgrade to ACMEv2 version of Certbot.
Is there a standard command for this?
This is for Ubuntu 16.04 - is it something similar? I do not want to break something.
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe <- Bionic
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache

I got this message from @letsencrypt.org
Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice.​

 

Are you sure the current cerbot does not support Acmev2? I can not find info on which version started supporting Acmev2, but I believe it has been available since 2018.

 

No I'm not sure it not support v2, but I got this message:
According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Your client's IP address was:
2a01:4f8:xxxxxxxxxxxxxx:279a::2

After reading a lot on www - I understand that I should have version 0.28.x at least..
Is this a Debian or Ubuntu command? And what does it?
apt update && apt install --only-upgrade python3-certbot

 

root@xxxxx ~ # dpkg -l python3-acme
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================-==================-
ii python3-acme 0.31.0-2~ubuntu18. all ACME protocol library for Python 3
root@xxxxx ~ # dpkg -l python3-certbot
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================-==================-
ii python3-certbot 0.27.0-1~ubuntu18. all main library for certbot
root@xxxxx ~ # apt list --upgradeable
Listing... Done

 

Your certbot version already supports ACMEv2
Use "certbot --dry-run -v renew" to see if is connecting to "https://acme-staging-v02.api.letsencrypt.org"
If not, you have probably done something (wrong) to your configuration file.

 

Yes
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa9xxxxxxxxxxx
Is used.
Thanx!

 

This should already support v02. Problems may vary from double account, old config etc. I personally use certbot-auto for latest version but there is no need to do the same.

 

Is certbot (repo installed) and certbot-auto (manually) interchangable, ie using same files and certificates for ispconfig ?
Can you just switch versions ?
Becouse my own test 1 year ago showed that certbot broke.

 

To OP, maybee old expired cert is still called for with v01, check with:
certbot certificates
or
certbot certificates | grep -i expired
Then delete files with:
(make sure LetsEncrypt is turned off for expired-domain.test in Apache FIRST, else Apache dies)
certbot delete --cert-name expired-domain.test

 

This was helpful - thanx!

 

Thanks.
I wonder what happens when i unclick the LetsEncrypt i GUI ?
Some domains have domain.test-0001, domain.test-0002 as name.
Should the GUI code delete all files with certbot delete --cert-name expired-domain.test when inactivating ? and certbot delete --cert-name expired-domain.test-0001 ?
I like my servers cleaned properly.

Sorry for being out of thread now ;-)

 

I have done a cleaning on server.
certbot delete --cert-name expired-domain.test
Restarted Apache - and still running.

 

Not running after reboot

Jan 21 15:07:51 mail0 systemd[1]: Starting The Apache HTTP Server...
Jan 21 15:07:51 mail0 apachectl[6359]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
Jan 21 15:07:51 mail0 apachectl[6359]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
Jan 21 15:07:51 mail0 apachectl[6359]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
Jan 21 15:07:51 mail0 apachectl[6359]: Action 'start' failed.
Jan 21 15:07:51 mail0 apachectl[6359]: The Apache error log may have more information.
Jan 21 15:07:51 mail0 systemd[1]: apache2.service: Control process exited, code=exited status=1
Jan 21 15:07:51 mail0 systemd[1]: apache2.service: Failed with result 'exit-code'.
Jan 21 15:07:51 mail0 systemd[1]: Failed to start The Apache HTTP Server.
root@mail0 ~ # cd /usr/local/ispconfig/interface/ssl/
root@mail0 /usr/local/ispconfig/interface/ssl # ls -l
total 56
-rwxr-x--- 1 root root 45 Oct 16 19:17 empty.dir
lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver-crt-181004041617.bak -> /etc/letsencrypt/live/mail0.myserver-0005/fullchain.pem
lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver.crt -> /etc/letsencrypt/live/mail0.myserver-0006/fullchain.pem
lrwxrwxrwx 1 root root 63 Sep 24 2018 ispserver.crt-181004041617.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt
lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004042407.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004043542.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
lrwxrwxrwx 1 root root 63 Oct 4 2018 ispserver.crt-181004095456.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt
lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver.crt-181004102147.bak -> /etc/letsencrypt/live/mail0.myserver-0005/fullchain.pem
lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004104441.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004154659.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
-rwxr-x--- 1 root root 1805 Oct 4 2018 ispserver.csr
lrwxrwxrwx 1 root root 60 Oct 4 2018 ispserver.key -> /etc/letsencrypt/live/mail0.myserver-0006/privkey.pem
lrwxrwxrwx 1 root root 63 Sep 24 2018 ispserver.key-181004041617.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.key
lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key-181004042407.bak -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key-181004043811.bak -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
lrwxrwxrwx 1 root root 60 Oct 4 2018 ispserver.key-181004102147.bak -> /etc/letsencrypt/live/mail0.myserver-0005/privkey.pem
-rwxr-x--- 1 root root 3243 Oct 4 2018 ispserver.key-181004154659.bak
lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key.secure -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
-rwxr-x--- 1 root root 7435 Oct 4 2018 ispserver.pem
lrwxrwxrwx 1 root root 63 Oct 4 2018 ispserver.pem-181004095459.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt

Any way of regenerate CERTS ? ---- I have backup of the etc folder..

 

How do I find the password?
service apache2 restart
Enter passphrase for SSL/TLS keys for mail0.myserver.net:8080 (RSA):

 

Hmm
I think I remember that password - but not accepted.
Remake CERT ?

 

Apache error-log
[Tue Jan 21 16:29:50.179031 2020] [ssl:emerg] [pid 5748] AH02580: Init: Pass phrase incorrect for key mail0.myserver:8080:0
[Tue Jan 21 16:29:50.179130 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Tue Jan 21 16:29:50.179150 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Tue Jan 21 16:29:50.179165 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Tue Jan 21 16:29:50.179181 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Tue Jan 21 16:29:50.179197 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:04093004:rsa routinesld_rsa_priv_decode:RSA lib
[Tue Jan 21 16:29:50.179210 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Tue Jan 21 16:29:50.179225 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Tue Jan 21 16:29:50.179234 2020] [ssl:emerg] [pid 5748] AH02312: Fatal error initialising mod_ssl, exiting.
[Tue Jan 21 16:29:50.179241 2020] [ssl:emerg] [pid 5748] AH02564: Failed to configure encrypted (?) private key mail0.myserver:8080:0, check /usr/local/ispconfig/interface/ssl/ispserver.key
AH00016: Configuration Failed

 

do ISPConfig update - and regenerate CERT ?
There are no updates available for ISPConfig 3.1.15p2 ...

Password entry required for 'Enter passphrase for SSL/TLS keys for mail0.myserver:8080 (RSA):' (PID 4687).
Please enter password with the systemd-tty-ask-password-agent tool!