Koozali.org: home of the SME Server

[SOLVED] Failure to update let's encrypt after moving to smeserver-letsencrypt

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Hello all,

I've been using the dehydrated script from its introduction, before packages of smeserver-letsencrypt and dehydrated were available. Since I've been receiving warnings about ACME v1 EOL today I've plunged into trying to do the same job with smeserver-letsencrypt.

Thing is I did not know how to get rid of the existing dehydrated installation. I've left that aside and configured the packaged dehydrated using the wiki instructions. Trying to get a new certificate in test mode ended with an error, regardless of whether I was trying the v1 or v2 APIs.

Then I made the serious error of nuking everything: I uninstalled the smeserver-letsencrypt and dehydrated packages and also did:
Code: [Select]
config show modSSL
config delprop modSSL CertificateChainFile
config delprop modSSL crt
config delprop modSSL key
rm /home/e-smith/ssl.{crt,key,pem}/*
rm -rf /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
signal-event  post-upgrade; signal-event reboot

I re-installed smeserver-letsencrypt and dehydrated, but the problem persists.

My configuration:
Code: [Select]
# config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enabled
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=<mymail>
    hookScript=disabled
    status=test
# ll /etc/dehydrated/
total 32
drwxr-x--- 3 root root 4096 Jun 10 08:56 accounts
drwxr-x--- 2 root root 4096 Jul 25  2019 archive
drwxr-x--- 2 root root 4096 Jul 25  2019 certs
drwxr-x--- 2 root root 4096 Jun 10 08:51 conf.d
-rw-r--r-- 1 root root  286 Jun 10 08:51 config
-rw-r--r-- 1 root root   16 Jun 10 08:55 domains.txt
-rwxr-x--- 1 root root 8045 Jun 26  2019 hook.sh
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
  + ERROR: An error occurred while sending head-request to https://acme-v01.api.letsencrypt.org/terms (Status 403)

Details:
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 10 Jun 2021 06:13:53 GMT
Content-Type: application/problem+json
Content-Length: 333
Connection: keep-alive
ETag: "60b68461-14d"

# config setprop letsencrypt API 1
# signal-event console-save
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
  + ERROR: An error occurred while sending get-request to https://acme-staging.api.letsencrypt.org/directory (Status 403)

Details:
{
  "type": "urn:acme:error:serverInternal",
  "detail": "ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information."
}

Any help will be appreciated.


« Last Edit: June 10, 2021, 08:33:31 AM by Michail Pappas »

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Found the culprit: the contrib-provided dehydrated script is placed in /usr/bin. However, the old one was also existing in /usr/local/bin. Invoking dehydrated called the latter one. Removing it and rebooting fixed things up.

Works perfectly with the v2 API, (once more) awesome work folks! :)