⚠ Update ACME Let's Encrypt SSL Client

Recently Let’s Encrypt Change there CDN provider and going to deprecated the ACMEv1 API
Many User’s Facing SSL installation Error and Renewal issue

Upgrade the ACME Let’s Encrypt SSL Client to Latest Version

  • Login to your server via SSH
  • Keep the Root login - Don’t log in as Sudo user
  • Next Update the acme.sh Client
/etc/letsencrypt/acme.sh --upgrade --home "/etc/letsencrypt"
  • Update the Certificates
/etc/letsencrypt/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
  • Verify the installed Version

/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" -v
  • List the installed SSL Certificate
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --list
  • Check the Crontab (it contains the Command line for SSL Auto-Renewal)
$ crontab -l

25 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
7 Likes

Thanks! It was really helpful for me :wink:

1 Like

Sorry for necromancing this thread!

This was a helpful post, and I’m hoping that no one that’s followed its suggestions have run into any issues. (I was worried that subsequently upgrading Ghost might introduce some problems.)

But apparently one might need to manually update a configuration file too as upgrading acme.sh doesn’t seem to do that automatically:

Kenny,

Thanks for the necromancy. This might help with an issue I’m having.

You don’t happen to know what one needs to do to replace ‘acme-v01’ with ‘acme-v02’. This is probably hopelessly n00by, but the comments on the Acme Issue don’t spell this out in any way clearly.

— G.

An acme.sh contributor just made a change that looks like it will update config files automatically, but I’m not sure whether that’s in the ‘release’ version (if there is one).

But making the change manually is pretty easy.

This was the relevant comment in the acme.sh issue [formatted by me]:

… just replace acme-v01 occurrences by acme-v02 in ~/.acme.sh/yourdomain.tld/yourdomain.tld.conf

~/.acme.sh is where acme.sh was installed for that commenter. On your server/computer, it might be installed somewhere else. You should be able to find out where exactly it is by running whereis acme.sh.

If my site was example.com, then the config file would be in example.com/example.com.conf relative to (i.e. ‘under’) the directory where acme.sh is installed.

Open the config file in a text editor and replace acme-v01 with acme-v02 – there were three (3) URLs in my config file that needed to be modified.

I was able to run the acme.sh --cron command successfully immediately after editing the config file.

I actually tested running whereis acme.sh on my server just a few minutes ago and it did NOT work. I’m sorry for not actually testing it before!

I noticed that other people indicated that acme.sh was installed in the directory /root/.acme.sh. On my server, it’s installed in the directory /etc/letsencrypt/. You can confirm where you’ve installed it on your server via ls; example:

kenny@some-server:~$ sudo ls /etc/letsencrypt/
account.conf  acme.sh  acme.sh.env  ca	deploy	dnsapi	http.header  notify  renewal-hooks  example.com

example.com above is a directory for a dummy example domain name.

I’m going to assume acme.sh is installed under /etc/letsencrypt/.

Then, upgrade your site’s config file. Assuming your site’s domain name is example.com, the config file should be at /etc/letsencrypt/example.com/example.com.conf.

You need to change the host for three URLs in three config variable values in this file; the config variables:

  • Le_API
  • Le_LinkCert
  • Le_LinkIssuer

Example line for the first value:

Le_API='https://acme-v01.api.letsencrypt.org/directory'

Change the URL so the line looks like this (i.e. replace the 1 with a 2):

Le_API='https://acme-v02.api.letsencrypt.org/directory'

Make the same change for the other two values.

Thank you very much Kenny. That was very helpful, and very clearly explained (if I could understand it must have been).

I have a standard ghost install and should just add for others that acme.sh lives in /etc/letsencrypt/ and that one of the config variables did indeed need updating (Le_LinkCert).

Sadly, my problem persists. I might have made the mistake of installing acme.sh as sudo — which I would hugely unrecommend — and whenever I try to run the cronjob I get

acme.sh: command not found

My gut is to simply reinstall acme.sh and --issue new certs. I will try and figure out how.

G!

You’re welcome!

How are you trying to run the acme.sh cron job?

If you would reply with the actual terminal output, including the shell prompt (scrubbed of any details you don’t want to share), I’ll gladly offer feedback about what you could try next.

I think it should be possible, and maybe pretty easy/straightforward, to fix any problems you might have because you installed it via sudo.

(I also don’t like that acme.sh seemingly has problems being run via sudo – there’s a lot of good reasons why it’s generally better to run commands via sudo than by logging in as root.)

Thanks for the continued help Kenny. I’m glad to hear installing via sudo (plus --force) hasn’t broken my site.

I posted here in the forums with my preexisting setup in case any of that flags. The tl;dr is I believe my certificates are in fact renewed in /etc/letsencrypt but the myriad browsers I’ve tried the site in claim otherwise. They seem to be opening the older, expired cert.

I’ve done a manual renew and my cert seems to be renewed well into Oct.

The three commands I’ve tried are:

  • sudo "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null . There’s no output here so I believe this has done nothing.
  • :/etc/letsencrypt$ acme.sh --cron outputs /etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied (repeated a bunch) THEN →
[Tue Aug 10 09:51:55 UTC 2021] Skip, Next renewal time is: Mon Oct  4 10:03:46 UTC 2021
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:51:55 UTC 2021] Add '--force' to force to renew.
[Tue Aug 10 09:51:55 UTC 2021] ===End cron===

(I’ve cut a bunchof permission denied lines.)

  • Then running the above with --force yields
 [Tue Aug 10 09:52:09 UTC 2021] Only RSA or EC key is supported. keyfile=/etc/letsencrypt/ca/acme-v02.api.letsencryp
t.org/directory/account.key
cat: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:52:09 UTC 2021] Please check log file for more details: /etc/letsencrypt/acme.sh.log
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 264: /etc/letsencrypt/acme.sh.log: Permission denied
[Tue Aug 10 09:52:09 UTC 2021] Error renew example.com.
  • And then lastly, /etc/letsencrypt$ sudo su acme.sh --cron --force yields
    su: unrecognized option '--cron'

I hope the above isn’t just word soup. And really appreciate any and all help!