Lets Encrypt has announced that, "Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail. For most people, simply upgrading to the latest version of your existing client will suffice. You can view the client list at: https://letsencrypt.org/docs/client-options/ "
This article explains how to update certbot to latest version (0.31 at the time of writing this) on Ubuntu 16.04LTS.
If you are on non LTS version such as 17.10 these steps will not work. You have to either update your OS or find another client that complies.
My test machine is Ubuntu 16.04 LTS and runs Apache with certbot 0.21. You can check OS and certbot by following commands.
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial $ certbot --version certbot 0.21.0
Now we need a higher version certbot that supports ACMEv2. Certbot can be updated as follows:
Step 1) Run apt-get update
$ sudo apt-get update Hit:1 http://europe-west1.gce.archive.ubuntu.com/ubuntu xenial InRelease --------------------------------------------- Fetched 349 kB in 0s (593 kB/s) Reading package lists... Done
Step 2) Upgrade latest version of certbot
$ sudo apt-get install --only-upgrade certbot This will upgrade only certbot package, and only if it is installed $ sudo apt-get install --only-upgrade certbot Reading package lists... Done Building dependency tree Reading state information... Done .......................................................................... Setting up python-certbot-apache (0.31.0-1+ubuntu16.04.1+certbot+1) ... Setting up python3-icu (1.9.2-2build1) ...
Step 3) Verify new Certbot Version
$ certbot --version certbot 0.31.0 As you can see we are now at 0.31 whicch supports ACMEv2. However we need to do a trail run to verify that it is able to use ACMEv2
Step 4) Do a Dry Run
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ......................................................... Cleaning up challenges
Step 5) Double check debug log to verify ACME server. You need to be logged in as root user to view letsencrypt logs.
$ sudo su - # cd /var/log/letsencrypt/ #sudo vi letsencrypt.log
If you search for "v02", you will be able to see entries for https://acme-staging-v02.api.letsencrypt.org/directory
DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Note that if you see only acme-staging-v01 then this means that the update has not worked as expected. If the update is successful, you will see requests to https://acme-staging-v02.api.letsencrypt.org/directory
Sometimes certbot upgrade may fail as below:
$ sudo apt-get install --only-upgrade certbot Reading package lists... Done Building dependency tree Reading state information... Done You might want to run 'apt-get -f install' to correct these:
If this happens you just need to run the following command.
$ sudo apt-get -f install
