Unable to issue a new Letsencrypt SSL certificate (Debian 8 upgraded to Debian 9)

Discussion in 'ISPConfig 3 Priority Support' started by curiousadmin, Feb 3, 2021.

  1. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Hello Community,
    Long time ago I installed the server using the "The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)^" I didn't do anything custom to it, later upgraded it to Debian 9^ without much issues.

    Somebody already asked about it here^ but it wasn't really clear what to do to not break things and he didn't specify his configuration.

    However now I'm stuck on issuing new certificates. Apparently I'm running old version of certbot which would not issue any more certificates.

    What I tried so far:
    root@server3:/opt/certbot# ./certbot-auto --version
    Upgrading certbot-auto 0.17.0 to 1.12.0...
    Replacing certbot-auto...
    Your system is not supported by certbot-auto anymore.
    certbot-auto and its Certbot installation will no longer receive updates.
    You will not receive any bug fixes including those fixing server compatibility
    or security problems.
    Please visit https://certbot.eff.org/ to check for other alternatives.

    So I'm stuck with this old version which would not issue any new certificates:
    root@server3:/var/log/letsencrypt# cat letsencrypt.log
    2021-02-03 15:18:07,548:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 753, in main
        return config.func(config, plugins)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 692, in certonly
        lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
        lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
        certr, chain, key, _ = self.obtain_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 66, in get_authorizations
        self.authzr[domain] = self.acme.request_domain_challenges(domain)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 212, in request_domain_challenges
        typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 191, in request_challenges
        response = self.net.post(self.directory.new_authz, new_authz)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 682, in post
        return self._post_once(*args, **kwargs)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 695, in _post_once
        return self._check_response(response, content_type=content_type)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 582, in _check_response
        raise messages.Error.from_json(jobj)
    Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)
    As I installed the certbot manually following the howto it would not upgrade and I clearly need the new version ACMEv2 to keep going.

    Keeping the ISPConfig + Debian 9 configuration in mind what is the next best move?
    I'm afraid the manual upgrade would not work (see below)
    cd /opt/certbot
    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    Please correct me if I'm wrong but it seems that the version in repositories (0.28.0-1) is also not sufficient version to have the ACMEv2 in place.

    To me it looks like one huge mess and not even Ubuntu 20.04 is supported. They recommend^ to go with snap^.

    Is it safe to follow those instructions installing it via snap considering we have ISPConfig layer on top?
    Would it not break existing configuration and existing certificates?

    This must be troubling lots of people (or will be soon enough) - thank you all for sharing your best practices on this.
    Last edited: Feb 14, 2021
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my Debian 9 system certbot is working.
    # apt policy certbot
      Asennettu: 0.28.0-1~deb9u3
      Ehdokas:   0.28.0-1~deb9u3
     *** 0.28.0-1~deb9u3 500
            500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
            100 /var/lib/dpkg/status
         0.28.0-1~deb9u2 500
            500 http://debian.mirrors.ovh.net/debian stretch/main amd64 Packages
         0.28.0-1~bpo9+1 100
            100 http://ftp.debian.org/debian stretch-backports/main amd64 Packages
  4. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Thank you for this.

    So I assume the system supplied version of 0.28 is sufficient for ACMEv2?

    How to safely migrate from the manual installation in
    towards the system packages?
    If I just delete that directory and then do apt install certbot would it pickup the configuration from /etc/letsencrypt automatically/migrate it?
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How did you install certbot? Examine the installation files, there may be uninstall script or instructions on how to uninstall.
    When that certbot is uninstalled, do apt get install certbot.
  6. curiousadmin

    curiousadmin Member HowtoForge Supporter

    I just did:
    cd /opt/certbot
    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    as per the howtoforge howto posted above...

    Edit according to this:
    It should be fine to just delete it - the only difference is that the howtoforge instructions put it in /opt/certbot instead of /usr/local/bin
    Not sure if it's good idea to cleanup the crontabs or it will be picked up by the system repository once installed from it? (apt get install certbot)
    Last edited: Feb 3, 2021
  7. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Is that 0.28.0-1~deb9u3 ACMEv2 compatible?
    Apparently after March 26 2021 the ACMEv1 will be completely disabled...
    Thank you in advance...
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think that should be ACMEv2 compatible. You just need to read the link that @Th0m posted which is basically to delete all ACMEv1 LE SSL certs and ask for new one so that ACMEv2 LE SSL certs can be issued.

Share This Page