Updating Certbot on Ubuntu for ACMEv2 Upgrades

What to do when you get this email

You may have seen this message.
An email from LetsEncrypt showing that a current certbot in use is using the out of date ACMEv1 protocol and needs to be updated.

If the services you are using are not using certbot then it’s unlikely the rest will help fix this issue. What you should see with the command below is that the version that is installed is less than the candidate version. This means that it’s important to move to the latest version. Ubuntu has a latest version at the time of this recording of 0.27.0### while a service in use from the last couple of years may have the 0.23.0### version (like in the output below). Getting the latest version will also push the services onto the latest ACME v2 protocol.

Getting it updated

First, check what version you are running.

1
2
3
4
5
6
7
8
9
10
drew@geedew:~$ apt-cache policy certbot
certbot:
  Installed: 0.23.0-1
  Candidate: 0.27.0-1~ubuntu18.04.1
  Version table:
     0.27.0-1~ubuntu18.04.1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic-updates/universe amd64 Packages
 *** 0.23.0-1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status

Now install the latest certbot.

1
drew@geedew:~$ sudo  apt install certbot

And verify again the latest is installed.

1
2
3
4
5
6
7
8
9
10
drew@geedew:~$ apt-cache policy certbot
certbot:
  Installed: 0.27.0-1~ubuntu18.04.1
  Candidate: 0.27.0-1~ubuntu18.04.1
  Version table:
 *** 0.27.0-1~ubuntu18.04.1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic-updates/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.23.0-1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic/universe amd64 Packages

And finally, make sure a dry-run works.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
drew@geedew:/home/drew:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/geedew.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for geedew.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/geedew.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/geedew.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Success! At this point the domain should be all up to date with the latest ACMEv2 protocol.

Resources

  1. LetsEncrypt Forum, 02-01-2020
  2. LetsEncrypt Forum, 02-01-2020
  3. Certbot Documentation
  4. Geedew Blog
  5. Google Image Search: TKirby on Flickr