Amazon EC2 Linux SSL certbot-auto Account creation on ACMEv1 is disabled. ACMEv2 / RFC 8555. Amazon EC2 Linux SSL certbot-auto

Question

I was trying to install a Lets Encrypt ssl certificate for my website on an Amazon EC2 Linux AMI Server.

I followed the steps in the documentation: Tutorial: Configure SSL/TLS on Amazon Linux https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-ami.html

After ssh'ing in and running these kinds of commands to generate the certificate

sudo yum install -y mod24_ssl
sudo chmod 600 custom.key
sudo openssl req -new -key custom.key -out csr.pem

Amazon kinds leaves you hanging at Step 2 => stage 4.

"Submit the CSR to a CA."

Without any CA's reccommended I decided to go with letsencrypt because the certbot for an EC2 Linux 2 is usually quite reliable.

I then got this error

The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details .

Answer 1

compute.amazonaws.com domains are intentionally blacklisted by Let's encrypt. They are often ephemeral and Let’s Encrypt won’t allow users issuing certificates for that domain..

Answer 2

TIP: To find out if your Bitnami stack uses Apache or NGINX, check the output of the command sudo /opt/bitnami/ctlscript.sh status.

NGINX:

So, turns out there is an end of life plan for ACMEv1 which is Lets Encrypts original method for generating certificates.

Read the article here: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555 864. We have been encouraging subscribers to move to the ACMEv2 protocol.Today we are announcing an end of life plan for ACMEv1.

Here is my entire process to install certbot-auto. I;m sharing my whole list of commands as you may find you have the same issues as me. Depends on what kinds of packages you have installed. ( this was also tricky due to Amazon running their own version of Linux on the EC2 AMI)

tried installing certbot-auto

wget https://dl.eff.org/certbot-auto

I then tried change permissions to make certbot-auto work

sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

tried installing again

wget -N https://dl.eff.org/certbot-auto.asc

Had to Install Epel because of AWS Linux

sudo amazon-linux-extras install epel

Then ran

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Then

sudo yum install certbot-apache

Then tried

sudo yum install mod_ssl python-certbot-apache
chmod +x certbot-auto 
sudo mv certbot-auto /usr/local/bin/certbot-auto

Then ran the command

certbot-auto certonly --standalone -d yourwebsite.com --debug

This is where I reached the error:

To fix my issue I had to do the following steps:

Run this command (from inside etc/letsencrypt ) with your Amazon DNS IP:

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d ec2-00-000-000-000.eu-west-2.compute.amazonaws.com

DNS IPs look like this: ec2-00-000-000-000.eu-west-2.compute.amazonaws.com

so just replace the example above with your own ( found in your AWS console => EC2)

You should see this:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I Chose 3

This is where I reached the error again:

The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

The saw this:

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

I added my domains as example.com and www.example.com

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): example.com , www.example.com

Saw this

Performing the following challenges:
http-01 challenge for example.com

Then this

PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

So had to do this:

Check you have ghosts running

apachectl -t -D DUMP_VHOSTS

So Looked-up what configs I might have

find /etc/httpd -name *.conf

Then edit your configs with vim or nano or whatever you prefer //VIM

 vi /etc/httpd/conf/httpd.conf

//NANO

nano /etc/httpd/conf/httpd.conf

Copy paste your virtual host into your config (3 places to change with your website)

#Virtual Host added for Letsencrypt
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "example.com"
    ServerAlias "example"
RewriteEngine on
RewriteCond %{SERVER_NAME} =example
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

//Then just :wq to save (if your in vim)

Ran this again (from inside etc/letsencrypt)

sudo ./certbot-auto --debug

** Saw this**

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
- - - - - - - - - - - - - - - - - - 

Selected 1...

and it worked !

Hope that helps

APACHE BITNAMI APPLICATION:

https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach