This was a helpful post, and I’m hoping that no one that’s followed its suggestions have run into any issues. (I was worried that subsequently upgrading Ghost might introduce some problems.)
But apparently one might need to manually update a configuration file too as upgrading acme.sh doesn’t seem to do that automatically:
Thanks for the necromancy. This might help with an issue I’m having.
You don’t happen to know what one needs to do to replace ‘acme-v01’ with ‘acme-v02’. This is probably hopelessly n00by, but the comments on the Acme Issue don’t spell this out in any way clearly.
An acme.sh contributor just made a change that looks like it will update config files automatically, but I’m not sure whether that’s in the ‘release’ version (if there is one).
But making the change manually is pretty easy.
This was the relevant comment in the acme.sh issue [formatted by me]:
… just replace acme-v01 occurrences by acme-v02 in ~/.acme.sh/yourdomain.tld/yourdomain.tld.conf
~/.acme.sh is where acme.sh was installed for that commenter. On your server/computer, it might be installed somewhere else. You should be able to find out where exactly it is by running whereis acme.sh.
If my site was example.com, then the config file would be in example.com/example.com.conf relative to (i.e. ‘under’) the directory where acme.sh is installed.
Open the config file in a text editor and replace acme-v01 with acme-v02 – there were three (3) URLs in my config file that needed to be modified.
I was able to run the acme.sh --cron command successfully immediately after editing the config file.
I actually tested running whereis acme.sh on my server just a few minutes ago and it did NOT work. I’m sorry for not actually testing it before!
I noticed that other people indicated that acme.sh was installed in the directory /root/.acme.sh. On my server, it’s installed in the directory /etc/letsencrypt/. You can confirm where you’ve installed it on your server via ls; example:
kenny@some-server:~$ sudo ls /etc/letsencrypt/
account.conf acme.sh acme.sh.env ca deploy dnsapi http.header notify renewal-hooks example.com
example.com above is a directory for a dummy example domain name.
I’m going to assume acme.sh is installed under /etc/letsencrypt/.
Then, upgrade your site’s config file. Assuming your site’s domain name is example.com, the config file should be at /etc/letsencrypt/example.com/example.com.conf.
You need to change the host for three URLs in three config variable values in this file; the config variables:
Thank you very much Kenny. That was very helpful, and very clearly explained (if I could understand it must have been).
I have a standard ghost install and should just add for others that acme.sh lives in /etc/letsencrypt/ and that one of the config variables did indeed need updating (Le_LinkCert).
Sadly, my problem persists. I might have made the mistake of installing acme.sh as sudo — which I would hugely unrecommend — and whenever I try to run the cronjob I get
acme.sh: command not found
My gut is to simply reinstall acme.sh and --issue new certs. I will try and figure out how.
If you would reply with the actual terminal output, including the shell prompt (scrubbed of any details you don’t want to share), I’ll gladly offer feedback about what you could try next.
I think it should be possible, and maybe pretty easy/straightforward, to fix any problems you might have because you installed it via sudo.
(I also don’t like that acme.sh seemingly has problems being run via sudo – there’s a lot of good reasons why it’s generally better to run commands via sudo than by logging in as root.)
Thanks for the continued help Kenny. I’m glad to hear installing via sudo (plus --force) hasn’t broken my site.
I posted here in the forums with my preexisting setup in case any of that flags. The tl;dr is I believe my certificates are in fact renewed in /etc/letsencrypt but the myriad browsers I’ve tried the site in claim otherwise. They seem to be opening the older, expired cert.
I’ve done a manual renew and my cert seems to be renewed well into Oct.
The three commands I’ve tried are:
sudo "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null . There’s no output here so I believe this has done nothing.
:/etc/letsencrypt$ acme.sh --cron outputs /etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied (repeated a bunch) THEN →
[Tue Aug 10 09:51:55 UTC 2021] Skip, Next renewal time is: Mon Oct 4 10:03:46 UTC 2021
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:51:55 UTC 2021] Add '--force' to force to renew.
[Tue Aug 10 09:51:55 UTC 2021] ===End cron===
(I’ve cut a bunchof permission denied lines.)
Then running the above with --force yields
[Tue Aug 10 09:52:09 UTC 2021] Only RSA or EC key is supported. keyfile=/etc/letsencrypt/ca/acme-v02.api.letsencryp
t.org/directory/account.key
cat: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:52:09 UTC 2021] Please check log file for more details: /etc/letsencrypt/acme.sh.log
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:52:09 UTC 2021] Error renew example.com.
And then lastly, /etc/letsencrypt$ sudo su acme.sh --cron --force yields su: unrecognized option '--cron'
I hope the above isn’t just word soup. And really appreciate any and all help!
