No renewal certificate error

Hi,

letsencrypt moved to API v2 in the meanwhile, deprecating API v1. Therefore i will receive this error:

Error registering: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

This is for staging, if i want to test, whether i can get a cert.

When i want to get a new cert i get this:

Requesting a new certificate for example.com, using the website directory /var/www ..

.. request failed : Chained certificate downloaded from https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem is empty

If i just renew, i will be taken away from that page to the SSL Settings page (first Tab).

Since i use the builtin letsencrypt feature, what can i do? Will there be any update? Even updating Webim to 1.930 didn't fix that

Thanks and best j_m

Status: 
Closed (fixed)

Comments

Assigned: Unassigned »

Howdy -- thanks for your report!

I've asked Jamie for his thoughts on this, we'll see what he says.

Note that a workaround in the meantime may be to temporarily use the certbot client.

Well,

i made it now manually by using sslforfree.com; but i'd appreciate if it would work again in Webmin / Virtualmin as well (haven't checked on Virtualmin yet.

Thanks and best j_m

Sorry to ask or reply.

That V1 remark / announcement was known by 11-03-2019 and still not updated in virtualmin?

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555. We have been encouraging subscribers to move to the ACMEv2 protocol.

Today we are announcing an end of life plan for ACMEv1.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.

We will be permanently disabling new ACME v1 registrations in the staging environment on October 1st .

And this one in august 2019. https://community.letsencrypt.org/t/important-notice-to-acme-client-deve...

Clients not compatible with ACME v2 will progressively disappear from https://letsencrypt.org/docs/client-options/ (They will be greyed out first, and then removed).
The objective is to points users only to ACME v2 clients as the ACME v1 API is deprecated and will be removed

YUP i don't understand why to wait longer with this part?

You may want to use the workaround mentioned in Comment #1 above, that will resolve any issues relating to the ACME protocol version until we're able to modify the built-in client to use the new protocol.

I was able to wait a day this time now that the brownout is complete and not have to use the workaround. Will use it next if needed. Thanks for planning this in, andreychek.

THis could maybe help to get it quicker done? https://github.com/Neilpang/acme.sh . THIS ONE WORKS EVEN WITH CENTOS 8.


    An ACME protocol client written purely in Shell (Unix shell) language.
    Full ACME protocol implementation.
    Support ACME v1 and ACME v2
    Support ACME v2 wildcard certs
    Simple, powerful and very easy to use. You only need 3 minutes to learn it.
    Bash, dash and sh compatible.
    Simplest shell script for Let's Encrypt free certificate client.
    Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
    Just one script to issue, renew and install your certificates automatically.
    DOES NOT require root/sudoer access.
    Docker friendly
    IPv6 support
    Cron job notifications for renewal or error etc.

Commenting only for the sake of following this. Hopefully it's resolved by 10/31/19 :)

I have downloaded Virtualmin onto a new server and this still does not work...where are we at with this?

Same here, worked all month for me up until now, I deploy a new Vmin install almost every other day, but first time seeing this.

I wonder if this is actually the cause of all of my problems with email clients apps (particularly Microsoft Outlook mobile app) continuing to reject one of my client domain email SSL certs as being invalid?

following

The bash script at
git clone https://github.com/Neilpang/acme.sh.git worked for me. I was using centos 6 but others have said it works from centos 6 to 8

In the example below, replace example.com with your domain etc....

First as root:
yum install git
yum install socat

then as the user of the website:
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install --accountemail "youremailname@yourdomain.com"

The --accountemail "youremailname@yourdomain.com" is the email used to register account to Let's Encrypt, you will receive renewal notice email here.

Now get the cert (you don't have to try to update a broken cert, just get a new one)
domain name comes first and then subdomains (-d example.com -d www.exampe.com )

./acme.sh --issue -d example.com -d www.exampe.com -w /home/username/public_html

Your cert is in /home/username/.acme.sh/exampe.com/exampe.com.cer
Your cert key is in /home/username/.acme.sh/exampe.com/exampe.com.key
The intermediate CA cert is in /home/username/.acme.sh/exampe.com/ca.cer
And the full chain certs is there: /home/username/.acme.sh/exampe.com/fullchain.cer

Back in Virtualmin Edit the website
Edit Virtual Server
Server Configuration
SSL Certificate
CA Certificate
Choose "In file on server" and browse to /home/usrname/.acme.sh/example.com/ca.cer
Save
Update Certificate and Key
Signed SSL certificate
"In file on server" and browse to /home/usrname/.acme.sh/example.com/example.com.cer
Matching Private Key
"In file on server" and browse to /home/usrname/.acme.sh/example.com/example.com.key
Install Now

Now the cert is installed and pointing to the files on the users directory.
The users cronjob that was created when you install acme.sh will check daily and renew every 60 days.
Check this with:
crontab -l

Look in this file below for renewal dates so you can check back to see it is still working properly in 60 days.
/home/username/.acme.sh/example.com/example.com.conf

The next Virtualmin release should install certbot whenever a Let's Encrypt certificate is requested... and in the future we'll likely even install certbot automatically when Virtualmin is installed. It'll use that in place of the built-in client.

In the meantime, you'd just need to manually install certbot -- on newer Debian and Ubuntu versions, that's included in their repos, you can just run: apt-get install certbot

With CentOS, that's in EPEL, you can run: yum install certbot

Certbot can also be installed from the eff.org website here: https://certbot.eff.org/

If certbot is installed, Virtualmin will use it automatically.

Solved with:

apt-get install socat certbot
certbot register

Complete with a valid e-mail.
Try to request new Let's Encrypt

What do you do if after installing cerbot, virtualmin still isn't using it? (or if it is using it, it's still failing for requesting v1 type certificates)

CentOS Linux 7.7.1908 Webmin version 1.932 Virtualmin version 6.08 certbot.noarch 0:0.39.0-1.el7

If you followed the directions I gave, you can see that the cert has updated via the virtualmin SSL Certificate "Current Certificate" interface, but Virtualmin is not doing the updating, the cronjob created by the amce.sh script is doing that. Choosing the key and cert that was created by the amce.sh script in Virtualmin's "Update Certificate and Key" tool will install those certs in Apache and point at the certs in the users directory. The amce.sh cronjob will keep those certs up to date. This whole procedure is a hack or patch to make let's encrypt continue to work until Virtualmin fixes the problem on their end. You could probably just leave it be and forget the lets encrypt part of Virtualmin once you have installed this amce.sh script and used Virtualmin's SSL Cert tool to point at them. But, if this problem is fixed in a future release of Virtualmin, just use Virtualmin's let's encrypt tool to reinstall a cert.

I an not the author or maintainer of the amce.sh script. I just used it because I had run into this let's encrypt renewal bug and I needed to get a SSL cert working again. I found a link to the script, without docs, here in this forum, gave it a try and then tried to give back a little by documenting my experience and success with using it.

Script I used was found at: https://github.com/Neilpang/acme.sh.git

That's my backup plan. I was responding to andreychek's comment, that if certbot is installed, virtualmin will just "use it" by default. So I installed it, and found it wasn't being used after all.

At the moment, I've worked around the issue by routing all domains through cloudflare, which allows me to use self-signed certificates in virtualmin. But, that leaves me tied to cloudflare for the time being (until virtualmin updates let's encrypt).

I was just curious as to why certbot wasn't being used by virtualmin, and if there was some other file/config that needed to be done after installing certbot to get virtualmin to see/use it.

Sorry, not sure what cerbot is or if it is used by the amce.sh script. My info refers back the Comment #15 above, where I describe using the github script to add a lets encrypt cert to a broken virtualmin installation. The script and docs at https://github.com/Neilpang/acme.sh are quite extensive and it does work. The OS that I was using was Centos 06, but according to their docs, it should work with all the major linux releases.

Confirmed that installing certbot and registering works Ubuntu 18.04 LTS

What about generating the cert within webmin, if i am not using Virtualmin?

Best j_m

Would be nice if there are howto's for such workarrounds provided by virtualmin? For the meantime.

Yeah confirmed running

apt-get install socat certbot
certbot register (enter an email)

Fixed the problem for me Ubuntu 18.04

this is ridiculous, none of the above work on Debian 9 with a fresh install of Virtualmin 6.08.

Requesting a certificate for joomla.domain.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
Error registering: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Edited to remove unnecessary language.

adamjedgar - does installing certbot not work?

adamjedgar, your post has been edited to remove the unnecessary language, let's keep things respectful here please :-)

Certbot should work on any system to get you a Let's Encrypt certificate. That's been the case for some time now. If you're having a problem, then we'll go over the issue and work on a way to get it fixed.

With the error you're seeing there, it looks like Virtualmin is still using the internal Let's Encrypt client. When certbot is installed though that shouldn't be the case... so we'd just need to look at why that's occurring.

This thread is a long enough and has enough different folks participating that we may need to break out some questions into separate requests, but a simple thing to check -- what output do you receive if you run these commands:

dpkg -l certbot
certbot --version

And as Jamie mentioned, if you hadn't tried the steps of installing certbot as I mentioned in Comment #16 (and Masplus sums up even better in Comment #17), you would indeed see the issue you described there.

I installed and registered certbot and Virtualmin won’t detect or use it. I’ve had to run certbot manually

h2ojunkie, what output do you see when running this command:

certbot --version

Also, what distro/version are you using?

I found this thread by searching the error I just got after trying to renew a cert after migrating to a new server. Reading it over, I installed certbot in Centos 7, and registered. I tried my request again and it worked perfectly. It looks like certbot is a great solution.

2ndkauboy's picture
Submitted by 2ndkauboy on Wed, 11/20/2019 - 09:22

We had the same issue with a server running Ubuntu 18.04 today. There is a quick solution. You just have to update the ACME client manually.

You can find the current acme-tiny client here: https://github.com/diafygi/acme-tiny Simply download the acme_tiny.py and overwrite the file /usr/share/webmin/webmin/acme_tiny.py on your server. You should then be able to get Let's Encrypt certificates just like before.

I hope the development team will fix that soon.

CentOS Linux 7.7.1908

33 >> It is working correctly.

acme_tiny.py and overwrite the file /usr/libexec/webmin/webmin/acme_tiny.py

33 >> It is working correctly.

acme_tiny.py and overwrite the file /usr/libexec/webmin/webmin/acme_tiny.py

Will this stay after new upcomming update virtualmin/webmin?

So not changing then to certbot with update, because i don't know if changing / update/renew to much then the LIMITS of letsencrypt could be a problem if doing all sudden once?

2ndkauboy's picture
Submitted by 2ndkauboy on Thu, 11/21/2019 - 10:31

I'm not aware of Virtualmin is handling it's own updates and if they overwrite. I would assume they don't. If they do, you have to redo this fix.

I have already created a patch and hopefully it will make it into the next release: https://github.com/webmin/webmin/pull/1143

We're actually considering just not including acme_tiny.py at all, and relying on users to install the official certbot client. This would remove the risk of ACME protocol compatability issues, but also means that users need to install certbot .... what do people think?

Hey Jamie, I think a good compromise would be to give the option at installation time to include the official certbot installation. I think if a base install doesn't have it, it'll be a support issue, and Virtualmin will be missing a critical feature. For the next update of existing servers, the administrator should get a prompt at first login to install certbot and run them through the registration routine. Or, as soon as somebody clicks the "SSL" option in server setup, it prompts the install if the rpm isn't already installed. At the very least, a page detailing the supported installation will be helpful.

As script plugin? ( so a complete one or prepared original with up to date howto / manual)

I guess depends also on license..... ?

Then the handling in GUI the SSL options virtualmin / webmin.

For most it is ........ which script as long as it works and is supported in GUI from WEBPANELS

This one has https://github.com/Neilpang/acme.sh License is GPLv3 the certbot however have more people working on it i guess, which must not be a better solution only mention this and the tiny acme which in use now pff.

If is was that easy to choose and have GUI in virtualmin working for ssl options .....

Yes, we will (or already have) added Certbot as a dependency during Virtualmin installs. I like the idea of prompting the admin to install it if missing though - we'll add that too.

Get Let's Encrypt free SSL working after 11/01/19 on Virtualmin.

Half a day to figure this out, hope it helps someone... my notes:

11/01/19 At this point Let's Encrypt has dropped Acme v1 on new certificate installs.

Let's Encrypt now uses Certbot ACME v2 protocol. You must install Certbot Acme v2, give out an email address and run one ssl request - all from the command line.

This assumes Centos 7 or Rhel 7 and Virtualmin install.sh . Let's Encrypt will error on any ssl request for new webmin or virtual servers. Log into your host server with ssh on putty on the self-signed certificate. Do not use the Webmin terminal, it will error also. Certbot Instructions are here: https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Example:

Install Certbot: yum -y install certbot python2-certbot-apache

Get and install your certificates, just one time: certbot --apache

Here you are requested for an email address and several other easy questions. This will install a new certificate and activate certbot for use on the system. Now the Webmin and Virtualmin tools will work as before. No need to do command line again.

I tried this #33. It work great for me. Ubuntu 1804

you are better off just going to the certbot website directly and following the tutorial on how to setup.

It is really simple and easy to follow. I followed these instructions and it worked perfectly first go.

https://certbot.eff.org/instructions

A lot of this stuff on Virtualmin forum is vague and often doesn't work properly.

#33 worked great for me. Ubuntu 1604

andreychek is right. Thanks, Andrey!

On Ubuntu 18.04, installing socat and certbot packages and registering with certbot register makes Virtualmin start using certbot, and certificates are now being generated normally.

To JamieCameron: I vote to set certbot as a dependency. In this way, Virtualmin will be always compliant/compatible.

Yes, that is the plan..

Replacing acme_tiny.py with github version worked for me.

Just download acme-tiny from https://github.com/diafygi/acme-tiny and replace it in usr/libexec/webmin/webmin/acme_tiny.py for CentOS 7 as suggested by solution #33 .

Comment #17 worked perfectly for me. I am now able to use LetsEncrypt as normal.

#33 has it! That's definitely the best, easiest and safest solution! Many thanks @2ndkauboy! :D

Shouldn't be a problem for Jamie to simply include the new version of this "acme_tiny.py"-thingy in the next vmin update :)

Edit: this worked on 2 sites, but has since failed with script errors.

I tried using the latest acme_tiny.py from https://github.com/diafygi/acme-tiny as jorgecardenas1 suggested on a new install (Debian 10), as well as an existing Debian 9. In both cases it only worked sporadically, and I gave up.

THIS WORKED UNIVERSALLY, WITHOUT ANY KIND OF COMPROMISES IN TERMS OF VIRTUALMIN FUNCTIONALITY:

apt-get install certbot
certbot register
/etc/init.d/webmin restart

After completing this, I am able to make requests for new certs and renewals normally without issue from the Server Configuration > SSL Certificates > Let's Encrypt screen in Virtualmin.

From my point of view, I think a transition phase should be appropriated.

I just see that the last webmin version does not provide Let's encrypt anymore, unless you install certbot. It means thousand of servers will have their certificates not renewed soon, because certbot will not be installed automaticaly.

certbot package as well as others supported packages (letsencrypt.sh I guess?) are not provided on old OS like Debian <= 8. so Iit will cause dependencies issues, hard to resolve, hard to provide...

@JamieCameron I don't think packages are more reliable in time than libraries, and for sure they are less flexibles. Upgrading acme_tiny.py by in virtualmin seems to be easy, and I don't think Let's encrypt will change their protocol in the next 5 years.

Choose advisedly :)

Virtualmin is making a move from using acme_tiny to using certbot instead.

Some older distros don't have a "certbot" package, such as CentOS 6 and Debian 8. In those cases, it's possible to download the "certbot" or "certbot-auto" binary and copy that into /usr/local/bin.

Instructions for handling that on Debian 8 are here:

https://certbot.eff.org/lets-encrypt/debianjessie-apache.html

It's just a matter of downloading a file, copying it out to your server, and possibly tweaking the permissions.

I appreciate that the above does involve having to perform some maintenance on your servers, though trying to maintain certbot and acme_tiny was bringing it's own maintenance problems. The certbot program also supports all of the Let's Encrypt features, where acme_tiny does not.

Sorry for any inconvenience, but we felt the above was the best thing to do for both long-term maintenance and functionality.

from https://groups.google.com/forum/#!topic/virtualmin-announce/TURKamut5d0:

For Debian and Ubuntu, certbot is available in the OS standard repositories, and I believe it will be installed automatically when you upgrade.

Nope. At least for my environment (Debian 9.11), right after the Webmin 1.940 upgrade, Let's Encrypt wasn't there. Had to do:

sudo apt-get install certbot python-certbot-apache

I have updated to the latest version of webmin 1.940 and now I can't create certificates, I get this error:

"The Let's Encrypt client command letsencrypt or certbot was not found on your system"

I have centos 7.5

If you receive an error that certbot isn't installed, you would just need to install certbot. On CentOS, you can do that with "yum install certbot".

There's enough different topics included in this thread, that I think it's time to close this thread and start a new ones for any additional questions folks have.

We've released a Webmin 1.940 release, addressing the initial issue above.

If anyone sees a bug with that, feel free to file a bug report.

If Virtualmin GPL users have any questions on it, let us know in the Forums.

And if Virtualmin Pro users have any questions, they can create a new support request here.

Thanks!