Symbiosis/Lets Encrypt: Account creation on ACMEv1 is disabled (certificates fail to be created/renewed)


#1

Hi all,

Today I’ve found that when I go to create a new hosting account on Symbiosis (on Stretch) Lets Encrypt certificates aren’t generating - with the following error:

Failed: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

It looks like there’s a new version of the Lets Encrypt API that Symbiosis doesn’t yet include - and with there seemingly have been a slow-down in development for Symbiosis in the run-up to/following the acquisition of Bytemark by ioMart I’m not sure where that leaves things!

Any ideas?

Cheers,
Chris


SSL problem in browser - wrong Common Name (Apache or Let's Encrypt issue?)
#2

Looks like we will have to go the route outlined in this thread - The future of Symbiosis


#3

I’m afraid we don’t have any plans for Symbioisis development at all. There is a fork of Symbiosis called Sympl, which is available for Debian 10 at https://sympl.host, and the developer is promising support for ACMEv2.

There is a workaround, if you have a currently working domain. Letsencrypt are not accepting new accounts with ACMEv1 after November 1. Symbiosis creates a new account for every new set of domains, but that’s not strictly necessary.

You can reuse an existing account by copying /srv/DOMAIN/config/ssl/letsencrypt/account_key (eg /srv/example.com/config/ssl/letsencrypt/account_key) into your new domain configuration. If the account_key is present, then that’s the account that will be used.


#4

@OBrienMedia @phill104: I can confirm that Sympl now has support for ACMEv2 in the stable branch, so account creation and so on are fine in Sympl for the foreseeable future.

Anyone experiencing the above issue may want to look into migrating to Sympl which is continuing development, and already supports Debian Buster, as well as improving security over Symbiosis.


#5

Thanks for the workaround.
I’d like to point out that you SHOULD have plans to develop Symbiosis. It was the jewel in the crown of Bytemark.
Migrating an existing Symbiosis server to Sympl is not supposed to be possible, so if people will have to migrate their sites to a new Sympl installation, the easiest way to do that is to move away from Bytemark - and that’s probably the route I shall take if I do need to move to Sympl.


#6

After testing out Sympl, and as Bytemark have no plans for Symbiosis, we’ve decided to switch all of our VM’s (and content DNS) to Amazon Web Services. We’re now running Sympl for 2 VM’s with roughly 50 websites on each and have found that performance on AWS and Sympl to far outstrip Bytemark’s offering. It’s a sad time as weve been a Bytemark client for over 10 years but recent changes have left us with no option- and the cost savings are big (we pay Bytemark hundreds of pounds a month and have halved that with the switchover)


#7

Good information thanks. Was the Sympl package easy to install on AWS ?


#8

I have just spent the day playing with sympl on AWS using the free 1 month lightsail service. It was a bit of a learning curve and I am not quite there yet.

First thing was to create an account and instance etc. Once done the latest version of debian you can install is 9.5 so you have to upgrade to buster if needed.
Once done I had a lot of head scratching working out the AWS panel. All a bit new to me. Sympl was easy to install but I did run into a few issues configuring it. Getting the ability to logon as root via ssh for instance, getting letsencrypt setup too I ran into a couple of gotchas. Getting there though and wow it is fast.

Only current issue is I cannot get mail to work. Currently I am not sure if it is to do with sympl or whether I need to fiddle with the mx records. Getting too tired to fiddle tonight.

Big ups to Paul for all the hard work keeping the project going. It really is a life saver for me.


#9

What sort of gotchas? I’ve not had any with sympl and LE yet.

Just check AWS don’t have mail ports blocked on their free teir.


#10

Most of the gotchas were my lack of knowledge. Only one that did cause a bit of head scratching was the need to put a valid email address in a file called email. Once I did that in the right place letsencrypt fetched the certificates.

As for the email, I think I am just struggling to work out what to put for the mx record on AWS.


#11

Hmm, I don’t recall setting an email on my sympl boxes.

In terms of MX record, a hostname that points to your sympl IP address should be all that’s needed.


#12

Yeah, done that. Seems to be an issue with bytemark. If I send an email from gmail to the new domain it works but replies get marked as spam by gmail. I cannot however send or receive anything from the moved to aws domain to any of the domains I still have on bytemark. So for some reason bytemark is now rejecting the emails as spam. MX toolbox seems to think the domain is OK though. So maybe I am missing something on the new setup


#13

I’ve found using a new IP often gets rejected due to no reputation, or it well be currently blacklisted from a previous user.

I run one of my email accounts with no spam filtering at all, which is sending for testing things like this. If it gets delivered, MTA is working and spam systems are catching it elsewhere. If not, it must be the MTA/server itself that’s at fault.

I always check a few places for blacklists - MX toolbox misses a few, that overs cover, and vise versa.

Don’t forget most systems will class emails as spam if the A/PTR don’t match.


#14

Thanks for all the tips. It has been very helpful