Letsencrypt client needs to be updated

[jamezpolley]

We're getting reports from Letsencrypt that we're using an old client using the V1 protocal for some hostnames. This needs to be fixed soon as the V1 protocol will go away soon.

Front conversations

[mlandauer]

From the Let's Encrypt email

Hostname(s): "api.planningalerts.org.au","planningalerts.org.au","www.planningalerts.org.au" "openaustralia.org","openaustralia.org.au","www.openaustralia.org","www.openaustralia.org.au" "opengovernment.org.au","www.opengovernment.org.au" "cuttlefish.oaf.org.au","cuttlefish.io"

[jamezpolley]

Hosts:

• planningalerts
• openaustralia.org
• opengovernment
• cuttlefish

[jamezpolley]

For hosts controlled by this repo.. it looks like the version of certbot we have is fine, but on some servers it's still using the servername corresponding to the old API

(.venv) james@BOWMAN:~/src/oaf/infrastructure$ ansible ec2 --become -a "grep -r server /etc/letsencrypt/renewal/ "
theyvoteforyou.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/theyvoteforyou.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.theyvoteforyou.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

planningalerts.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/planningalerts.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.planningalerts.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory

righttoknow.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.righttoknow.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/righttoknow.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

openaustralia.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.openaustralia.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/openaustralia.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory

openaustraliafoundation.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/oaf.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

opengovernment.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/opengovernment.org.au.conf:server = https://acme-v01.api.letsencrypt.org/directory

electionleaflets.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/www.electionleaflets.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

[jamezpolley]

I've updated the update-ssl-certificates ansible script in b69e10c.

With these changes, I was able to use ansible-playbook update-ssl-certs.yml -l planningalerts,openaustralia,opengovernment to force-renew the certs on the v2 api.

Checking:

(.venv) james@BOWMAN:~/src/oaf/infrastructure$ ansible planningalerts,openaustralia,opengovernment --become -a "grep -r server /etc/letsencrypt/renewal"
openaustralia.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/test.openaustralia.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/openaustralia.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

planningalerts.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/planningalerts.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/test.planningalerts.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

opengovernment.org.au | SUCCESS | rc=0 >>
/etc/letsencrypt/renewal/opengovernment.org.au.conf:server = https://acme-v02.api.letsencrypt.org/directory

[jamezpolley]

There's still some outstanding work to do here; cuttlefish needs to be fixed (tracked in mlandauer/cuttlefish#353) and the regular role needs to be updated. I'll open a new issue for the latter.