Closed jamezpolley closed 4 years ago
mlandauer
commented
4 years ago From the Let's Encrypt email
Hostname(s): "api.planningalerts.org.au","planningalerts.org.au","www.planningalerts.org.au" "openaustralia.org","openaustralia.org.au","www.openaustralia.org","www.openaustralia.org.au" "opengovernment.org.au","www.opengovernment.org.au" "cuttlefish.oaf.org.au","cuttlefish.io"
jamezpolley
commented
4 years ago Hosts:
jamezpolley
commented
4 years ago For hosts controlled by this repo.. it looks like the version of certbot we have is fine, but on some servers it's still using the servername corresponding to the old API
(.venv) james@BOWMAN:~/src/oaf/infrastructure$ ansible ec2 --become -a "grep -r server /etc/letsencrypt/renewal/ "
theyvoteforyou.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/theyvoteforyou.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.theyvoteforyou.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
planningalerts.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/planningalerts.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.planningalerts.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
righttoknow.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.righttoknow.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/righttoknow.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
openaustralia.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.openaustralia.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/openaustralia.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
openaustraliafoundation.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/oaf.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
opengovernment.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/opengovernment.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
electionleaflets.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/www.electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directoryI've updated the update-ssl-certificates ansible script in b69e10c.
With these changes, I was able to use ansible-playbook update-ssl-certs.yml -l planningalerts,openaustralia,opengovernment to force-renew the certs on the v2 api.
Checking:
(.venv) james@BOWMAN:~/src/oaf/infrastructure$ ansible planningalerts,openaustralia,opengovernment --become -a "grep -r server /etc/letsencrypt/renewal"
openaustralia.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.openaustralia.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/openaustralia.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
planningalerts.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/planningalerts.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.planningalerts.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
opengovernment.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/opengovernment.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directoryThere's still some outstanding work to do here; cuttlefish needs to be fixed (tracked in https://github.com/mlandauer/cuttlefish/issues/353) and the regular role needs to be updated. I'll open a new issue for the latter.
We're getting reports from Letsencrypt that we're using an old client using the V1 protocal for some hostnames. This needs to be fixed soon as the V1 protocol will go away soon.