It is currently Thu Jun 04, 2020 11:52 pm
All times are UTC + 8 hours

Let's Encrypt ACME client outdated by letsencrypt

Got a question about our NAS utilities? The answer lies within.

Let's Encrypt ACME client outdated by letsencrypt

Postby sksbir » Thu Feb 20, 2020 5:32 am

Hi
Here is a mail I just received after renewing my certificat:

Client IP address: <my IP>
User agent:
Hostname(s): "<my domain>"
Request time: 2020-02-16 ....UTC
Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you're unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don't know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there's an existing solution for your question. If there isn't, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end ... for-acmev1

As a reminder: In the future, Let's Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you're working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let's Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/abo ... s-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let's Encrypt
sksbir
 
Posts: 328
Joined: Tue Aug 25, 2015 9:23 pm

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby orion » Thu Feb 20, 2020 10:05 am

I thought NAS uses cerbot, but it seems not?? You'd better to report it to asustor directly too.
User avatar
orion
 
Posts: 2614
Joined: Wed May 29, 2013 11:09 am

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby RainCaster » Sat Mar 14, 2020 2:20 am

I get a failure message from this now. "Unable to apply settings. Please try again. (Ref. 5401)"

I wonder if the challenge fails because of the odd port number being used. (not 80/443)
RainCaster
 
Posts: 12
Joined: Mon Feb 06, 2017 11:37 pm

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby orion » Mon Mar 16, 2020 10:25 am

RainCaster wrote:I get a failure message from this now. "Unable to apply settings. Please try again. (Ref. 5401)"

I wonder if the challenge fails because of the odd port number being used. (not 80/443)

I guess that's a different story from OP. And, yes, you'll need to let port 80 open for your web site (letsencypt requirement). https://www.asustor.com/en/online/College_topic?topic=324
User avatar
orion
 
Posts: 2614
Joined: Wed May 29, 2013 11:09 am

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby jauling » Tue May 05, 2020 1:07 am

I see in the release notes that 3.4.6.RCO3 (released on 2019-12-25) should have introduced ACMEv2. I've been running 3.4.7.RFO2 for over 5 weeks now, but I recently got an email from Let's Encrypt saying that ACMEv1 was used on 2020-04-29 to renew my certs.

I see a crontab entry for root on my AS5104T that is executing this daily at midnight:
Code: Select all
0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert


Anyone figure out how this client works? I looked at the binary, and it reads the file /usr/builtin/etc/certificate/certificate.json, which seems to show that my Let's Encrypt cert is type 2, but I really dont know if that has anything to do with ACMEv1 vs ACMEv2.
jauling
 
Posts: 43
Joined: Wed Feb 01, 2017 1:34 am
Location: Amsterdam

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby sksbir » Wed May 06, 2020 4:46 am

jauling wrote:I see in the release notes that 3.4.6.RCO3 (released on 2019-12-25) should have introduced ACMEv2. I've been running 3.4.7.RFO2 for over 5 weeks now, but I recently got an email from Let's Encrypt saying that ACMEv1 was used on 2020-04-29 to renew my certs.

I see a crontab entry for root on my AS5104T that is executing this daily at midnight:
Code: Select all
0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert


Anyone figure out how this client works? I looked at the binary, and it reads the file /usr/builtin/etc/certificate/certificate.json, which seems to show that my Let's Encrypt cert is type 2, but I really dont know if that has anything to do with ACMEv1 vs ACMEv2.


Same for me. I got the mail a second time from LetsEncrypt.
Meanwhile, Asustor support answered to case : We have already updated to ACME to v2 already..

Maybe letsencrypt send mail at each renewal, regardless of version used.
sksbir
 
Posts: 328
Joined: Tue Aug 25, 2015 9:23 pm

Re: Let's Encrypt ACME client outdated by letsencrypt

Postby gunemalli » Wed May 20, 2020 7:29 am

I have an AS1002T v2 with ADM v3.5.0.R5D3. This uses acme.sh instead of certbot and has no issues with LetsEncrypt. Maybe try updating the ACME client software and see if that helps (mine is v2.0.0.r5). I have worked with acme.sh a lot for other linux deployments and it has a ton of functionality that the certbot doesn't have.
gunemalli
 
Posts: 1
Joined: Wed May 20, 2020 7:19 am

Return to NAS Utilities

  • You cannot post new topics in this forum
    You cannot reply to topics in this forum
    You cannot edit your posts in this forum
    You cannot delete your posts in this forum
    You cannot post attachments in this forum
  • Who is online

    Users browsing this forum: No registered users and 1 guest