Unable to issue a new Letsencrypt SSL certificate (Debian 8 upgraded to Debian 9)

Discussion in 'ISPConfig 3 Priority Support' started by curiousadmin, Feb 3, 2021.

Tags:
  1. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Hello Community,
    Long time ago I installed the server using the "The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)^" I didn't do anything custom to it, later upgraded it to Debian 9^ without much issues.

    Somebody already asked about it here^ but it wasn't really clear what to do to not break things and he didn't specify his configuration.

    However now I'm stuck on issuing new certificates. Apparently I'm running old version of certbot which would not issue any more certificates.

    What I tried so far:
    root@server3:/opt/certbot# ./certbot-auto --version
    Output:
    Code:
    Upgrading certbot-auto 0.17.0 to 1.12.0...
Replacing certbot-auto...
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.

    So I'm stuck with this old version which would not issue any new certificates:
    root@server3:/var/log/letsencrypt# cat letsencrypt.log
    Output:
    Code:
    2021-02-03 15:18:07,548:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 753, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 692, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 66, in get_authorizations
    self.authzr[domain] = self.acme.request_domain_challenges(domain)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 212, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 191, in request_challenges
    response = self.net.post(self.directory.new_authz, new_authz)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 682, in post
    return self._post_once(*args, **kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 695, in _post_once
    return self._check_response(response, content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 582, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)
    As I installed the certbot manually following the howto it would not upgrade and I clearly need the new version ACMEv2 to keep going.

    Keeping the ISPConfig + Debian 9 configuration in mind what is the next best move?
    I'm afraid the manual upgrade would not work (see below)
    Code:
    cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto
    Please correct me if I'm wrong but it seems that the version in repositories (0.28.0-1) is also not sufficient version to have the ACMEv2 in place.

    To me it looks like one huge mess and not even Ubuntu 20.04 is supported. They recommend^ to go with snap^.

    Is it safe to follow those instructions installing it via snap considering we have ISPConfig layer on top?
    Would it not break existing configuration and existing certificates?

    This must be troubling lots of people (or will be soon enough) - thank you all for sharing your best practices on this.
     
    Last edited: Feb 14, 2021
    curiousadmin, Feb 3, 2021
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Th0m, Feb 3, 2021
    #2
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my Debian 9 system certbot is working.
    Code:
    # apt policy certbot
certbot:
  Asennettu: 0.28.0-1~deb9u3
  Ehdokas:   0.28.0-1~deb9u3
  Versiotaulukko:
 *** 0.28.0-1~deb9u3 500
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.28.0-1~deb9u2 500
        500 http://debian.mirrors.ovh.net/debian stretch/main amd64 Packages
     0.28.0-1~bpo9+1 100
        100 http://ftp.debian.org/debian stretch-backports/main amd64 Packages
     
    Taleman, Feb 3, 2021
    #3
  4. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Thank you for this.

    So I assume the system supplied version of 0.28 is sufficient for ACMEv2?

    How to safely migrate from the manual installation in
    Code:
    /opt/certbot
    towards the system packages?
    If I just delete that directory and then do apt install certbot would it pickup the configuration from /etc/letsencrypt automatically/migrate it?
     
    curiousadmin, Feb 3, 2021
    #4
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How did you install certbot? Examine the installation files, there may be uninstall script or instructions on how to uninstall.
    When that certbot is uninstalled, do apt get install certbot.
     
    Taleman, Feb 3, 2021
    #5
  6. curiousadmin

    curiousadmin Member HowtoForge Supporter

    I just did:
    Code:
    cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto
    as per the howtoforge howto posted above...

    Edit according to this:
    https://certbot.eff.org/docs/uninstall.html
    It should be fine to just delete it - the only difference is that the howtoforge instructions put it in /opt/certbot instead of /usr/local/bin
    Not sure if it's good idea to cleanup the crontabs or it will be picked up by the system repository once installed from it? (apt get install certbot)
     
    Last edited: Feb 3, 2021
    curiousadmin, Feb 3, 2021
    #6
  7. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Is that 0.28.0-1~deb9u3 ACMEv2 compatible?
    Apparently after March 26 2021 the ACMEv1 will be completely disabled...
    Thank you in advance...
     
    curiousadmin, Feb 14, 2021
    #7
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think that should be ACMEv2 compatible. You just need to read the link that @Th0m posted which is basically to delete all ACMEv1 LE SSL certs and ask for new one so that ACMEv2 LE SSL certs can be issued.
     
    ahrasis, Feb 14, 2021
    #8

Share This Page