Not actually sure if this is possible, but it might be interesting for acmephp to be libressl-compatible?

This library is a modern rework of openssl, security-wise best-practice based, reducing the risk of vulnerabilities...

Just suggesting :)

http://www.libressl.org/

Hello,
File combined.pem contains a private key, yet it is stored in the /certs/ subdirectory. This can be dangerous - someone may publish it in error.

It should be moved to the /private/ subdirectory.

Note: this may break backwards compatiblity so probably it should be created in the /certs/ subdirectory only if it existed there previously.

See:

Hey,

Not sure if it's actually a bug, but in the {IMO} last-version, the self-update end-up in a var_dump of the available versions, without actually any way to finish the update (choose a version manually?).

Am I missing something?

It is not a main issue, acmephp works fine otherwise, but I was curious :)

$ php acmephp.phar -V

Acme PHP - Let's Encrypt client 1.0.0-dev

$ php acmephp.phar self-update
Updating...

array(9) {
  [0]=>
  string(10) "dev-master"
  [1]=>
  string(18) "dev-custom-actions"
  [2]=>
  string(14) "dev-improve-dx"
  [3]=>
  string(11) "1.0.0-beta3"
  [4]=>
  string(11) "1.0.0-beta2"
  [5]=>
  string(11) "1.0.0-beta1"
  [6]=>
  string(13) "1.0.0-alpha10"
  [7]=>
  string(12) "1.0.0-alpha9"
  [8]=>
  string(12) "1.0.0-alpha8"
}

workaround for

Obtain fake certificate in "staging/developer" mode without authorization
https://community.letsencrypt.org/t/obtain-fake-certificate-in-staging-mode-without-authorization/17629

in development environment in a [vagrant][1] box deployed with [puppet][2]/[chef][3] , it is sometimes not (easily) possible to have inbound traffic from the letsencypt server.
so it would be awesome to have an for example environment variable which is read by acmephp and which leads to acmephp only create a self signed cert so the [puppet][2]/[chef][3] code can be coded and tested as if the letsencrypt server generates the cert.

Hi,
I am trying to generate a certificate(currently by DNS challenge) and I can get challenge(s) but so far I have tried to provide the token, the payload, the second part of the payload(which is the hashed header) and in all cases the validation has failed.

I have checked the docs in here https://letsencrypt.github.io/acme-spec/#rfc.section.7.4 and it sounds to me like after I get the challenge I have to request the token which will be the returned value or something like that.

What is the value that has to be returned and where do I get it? The LE is effing frustrating to work with.

PS: I have AcmePHP core only.
PS2: http challenge works right away.

https://github.com/acmephp/core was last updated in 2016.

While code in https://github.com/acmephp/acmephp/tree/master/src/Core was updated 4 days ago :/

Shouldn't acmephp/core reflect latest changes in master 🤔

Also if possible, do tag it it so anyone can require it from composer.

Hi,
I am implementing the core into my app so that I can use LE and all is fine but one thing: if I use the staging directory it will always result in invalid argument exception stating: Resource type ""key-change"" is not supported by the ACME server (supported: "new-reg", "recover-reg", "new-authz", "new-cert", "revoke-cert", "reg", "authz", "challenge", "cert"). Funny thing is, the 'key-change' is not mentioned once in the code so I cannot figure out where this is coming from. If I switch to production no issues whatsoever.

I don't need to use staging that much but I'm just interested to know the reason for this.

Hey there,
I've just started using the tool and it's fantastic! Thank you very much. This is going to save me so much time.

My Problem

I couldn't find any documentation on what commands to run to remove certificates from the tool. E.g. stop them showing up in the output from acmephp status. For now, I just want to remove the certificates from my status output, but what if I wanted to go further and revoke them instead? Is that possible?

I tried renewing a certificate that was issued last year (it's about to expire).

/usr/bin/php /home/simon/acmephp.phar request --force strategy.sjsu.edu
Loading account key pair...
Forced renewal.
Loading domain key pair...
Loading domain distinguished name...
Renewing certificate for domain strategy.sjsu.edu ...

[AcmePhp\Core\Exception\Server\UnauthorizedServerException]
[unauthorized] The client lacks sufficient authorization: Error creating new cert :: authorizations for these names not found o
r expired: strategy.sjsu.edu (on request "POST https://acme-v01.api.letsencrypt.org/acme/new-cert")

[GuzzleHttp\Exception\ClientException]
Client error: POST https://acme-v01.api.letsencrypt.org/acme/new-cert resulted in a 403 Forbidden response:
{
"type": "urn:acme:error:unauthorized",
"detail": "Error creating new cert :: authorizations for these names not fo (truncated...)

SO, I tried generating a new certificate, which worked. I created the new challenge file in .well-known/acme-challenge and then trued to run check:

/usr/bin/php /home/simon/acmephp.phar check -s http strategy.sjsu.edu
Loading account key pair...
Loading the authorization token for domain strategy.sjsu.edu ...
Testing the challenge...

[GuzzleHttp\Exception\RequestException]
Error creating resource: [message] fopen(http://strategy.sjsu.edu/.well-known/acme-challenge/GQQcNE7jrP4IfDcS_NDsZbBkU7GwVGy9O-
LJXMK47L0): failed to open stream: Connection timed out
[file] phar:///home/simon/acmephp.phar/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
[line] 312

[RuntimeException]
Error creating resource: [message] fopen(http://strategy.sjsu.edu/.well-known/acme-challenge/GQQcNE7jrP4IfDcS_NDsZbBkU7GwVGy9O-
LJXMK47L0): failed to open stream: Connection timed out
[file] phar:///home/simon/acmephp.phar/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
[line] 312

So now I'm stuck - any help would be greatly appreciated.

To further automate the certificate creation process it woud be helpfull to have the DNS challenge supported with plugins for a range of DNS Providers ( to direct create the TXT DNS entries ).

php acmephp.phar authorize --solver dns yourdomain.org --dns-provider dns-plugin

php acmephp.phar setup --dns-provider dns-plugin to setup creditentials, server endpoints ..

where dns-plugin could be any DNS server with an API
kasserver see http://kasapi.kasserver.com/dokumentation/phpdoc/packages/API%20Funktionen.html
ispconfig see https://www.howtoforge.com/how-to-create-remote-api-scripts-for-ispconfig-3

I am willing to create those plugins but we should agree how to add this plugin support to acmephp

Hi,
the method \AcmePhp\Core\AcmeClient::requestAuthorization transforms the response into an array of AuthorizationChallenge objects. There are only tree types of challenges now and if I want to get the information for the sepcific challenge I want to use I have to filter this array. I think that is an unnecessary step and the challenges should be keyed by the type of challenge they represent.

So instead of this:

$authorizationChallenges = [];
        foreach ($response['challenges'] as $challenge) {
            $authorizationChallenges[] = new AuthorizationChallenge(
                $domain,
                $challenge['type'],
                $challenge['uri'],
                $challenge['token'],
                $challenge['token'].'.'.$encodedHeader
            );
        }

        return $authorizationChallenges;

it should be like this:

$authorizationChallenges = [];
        foreach ($response['challenges'] as $challenge) {
            $authorizationChallenges[$challenge['type']] = new AuthorizationChallenge(
                $domain,
                $challenge['type'],
                $challenge['uri'],
                $challenge['token'],
                $challenge['token'].'.'.$encodedHeader
            );
        }

        return $authorizationChallenges;

Hiya,

I was planning on using the core class of acmephp for implementing Let's encrypt certificate handling seeing as it has lots of possibilities.
Now i noticed that it was version 1.0.0-beta4 using composer (https://packagist.org/packages/acmephp/core) while acmephp/acmephp includes version 1.0.0-beta5.

Once implemented i'll have to deploy it to different servers so it would be nice to just require the necessary core libraries with composer without needing the rest of the project.

Any chance you could bring this up-to-date? :-)

Thanks in advance!

Kind regards,

Yannick

Hi,

I'm currently trying to use acmephp in some self-written software.
AcmeClient->finalizeOrder unfortunatly only accepts CSRs in the form of CertificateRequest-objects, not directly as a CSR, because the requestCertificate-Method then calls signCertificateRequest to generate a CSR.

I'd like to provide a custom CSR as a string. Any ideas on how to nicely implement this?
One method I could imagine would be to have a string-variable in CertificateRequest that you could populate with a custom CSR, another would be a second method that accepts CSRs directly.

Any suggestions on how to implement this? Would you accept a pull request implementing this functionality?

so long,
Tobi

Introduce a Sentry monitoring handler provides several advantages:

• made for monitoring (nice UI, ...)
• can handle much more powerful alerts (SMS, e-mails, push notifications, etc.)
• easy to do with the PHP client and the Monolog handler

How to solve this?

[Exception]
DateTime::__construct(): It is not safe to rely on the system's timezone se
ttings. You are required to use the date.timezone setting or the date_def
ault_timezone_set() function. In case you used any of those methods and you
are still getting this warning, you most likely misspelled the timezone id
entifier. We selected the timezone 'UTC' for now, but please set date.timez
one to select your timezone.

Enhancement request...

In addition to SMTP, allow th monitoring emails to be sent using sendmail or PHP's mail().

Hello,

Is there a way to specify overriding the services.xml file for the Cli client?

Here is my thought process: I like 98% of what the Cli client does such as handling storage and making calls to the LE api, and I was hoping to override the last 2% with some custom service classes rather than building 100% of a custom Cli client alternative myself. I'm hoping to just modify a few small behaviors, but without touching the distribution files so I can continue to update with composer.

It seems like being able to specify a custom services.xml file would open up a lot of capabilities like this, but please let me know if there is a way to achieve a similar result already and I might just be thinking about this wrong?

Thank you

Hi @tgalopin,

You mentioned in #3 that if I had any other questions, feel free to ask, so I'm cashing in on that offer. ;)

So I have just a few.

1. With the dns-01 challenge (yet to be implemented here, but I know it's on the todo list), it should automatically cover any subdomains in the certificate's Subject Alternate Name right? For instance if the certificate were for mydomain.com and the SAN had www.mydomain.com a single, successful dns-01 challenge that had the appropriate TXT record would be sufficient to cover both, and we could then get a certificate?

• Right now we are having to issue two http-01 challenges, one for mydomain.com, and another for www.mydomain.com, (even though they point to the same IP in 99% of cases) so we're trying to streamline that process if possible. And my thought was that implementing the dns-01 challenge might solve that. I'm not sure.

2. If I'm correct about that, are you already working on implementing the dns-01 challenge? We were thinking about forking the code and submitting a PR, but I'm sure you would be able to do it faster than us and probably already have an idea on how you want to design the code to handle this, especially if you're already working on it.

Thanks again for the awesome library

In acmephp/src/Ssl/Signer/CertificateRequestSigner.php the CSR payload returned via getCSRPayload currently doesn't contain the common name, resulting in the subject of the CSR not having a CN value defined.

Example:
Subject: C=CA, ST=British Columbia, L=Nanaimo, O=NA/[email protected]

Adding the common name to the payload in getCSRPayload will result in:

Subject: C=CA, ST=British Columbia, L=Nanaimo, O=NA, CN=example.com/[email protected]

Running bin/acme authorize '*.domain.ext' gives following error -

In AuthorizeCommand.php line 95:

  This ACME server does not expose supported challenge.

In such case, acmephp should set dns as default resolver(If the domain starts with *)

if user specifies any non-dns solver, then error should be thrown that non-dns solvers are not allowed by acme in wildcard domains.

Use the AcmePHP Core library I would like to have access to the authorization expiration date.

To do this I would expect that AcmeClient::requestAuthorization() and AcmeClient::challengeAuthorization() would return authorization objects, not just the challenges. I realize that this would be a BC-breaking change for the library, although not necessarily for the CLI client.

Additionally, my reading of the current ACME spec (Draft 9, section 7.5.1) is that the polling should be done on the authorization URL, not the challenge URL as AcmeClient::challengeAuthorization() is currently implemented. Passing the authorization object to that method would make this possible.

@tgalopin Preface: Sorry again for asking a question as opposed to presenting a code issue here, but you were helpful the last time and I've hit a brick wall today.

So basically I'm using this library as part of another application I'm building, so I'm storing the various object data into mysql.

I think I have all of that working, but I can't seem to figure out something basic about letsencrypt/acme.

For the http-01 challenge, I'm supposed to provision a file at say http://example.com/.well-known/acme-challenge/$token and it's contents should be... what exactly?

Looking through your test cases (since that's better than documentation sometimes) I see that you are putting the "payload" into the file:

https://github.com/acmephp/acmephp/blob/master/tests/Core/AcmeClientTest.php#L131

So if that's true, then the file should contain something like:

qu6WeClKmrROn0d9_gdbs0hgRtwyXeCScBt031mulKI.hS9kK3SM_bfmYvDYe-JjxWbrQL6eSjBdY4p9XnIZqDQ

and that's it. Is that right?

That doesn't work for me, and I'm not sure if I'm doing something wrong, or it's a complete misunderstanding of Acme/LetsEncrypt. But even if that's what I'm supposed to do, that doesn't match the test case in the LetsEncrypt's certbot test here:

https://github.com/certbot/certbot/blob/e5876ea162c22e9b2fff8cfcb7373a57572f3515/acme/acme/challenges_test.py#L153

And it doesn't match the information in the SPEC here:

https://letsencrypt.github.io/acme-spec/#rfc.section.7.1

So what am I missing exactly? Sorry to trouble you with a question, but I've tried to figure this out for way too long and I feel like you might be able to help me. Thanks so much in advance if you can shed some light on this for me.

Hi there,

Wonderful tool, thanks for making it.

I'm wondering whether there's a way to change the path where files are stored, or else how to configure the post_generate in order to move or copy the generated files or directory to another location.

Eg right now the location is:

/root/.acmephp/master/certs/domain.org/cert.pem

And I want to have a copy at:

/foo/bar/ssl/domain.org/cert.pem

For various reasons I can't just rely on a symlink, I need the file to be in that location.

On my ISP Panel i have only one input for the domain without www and with www. Can i request two domains in one certificate (www.example.com, example.com)?

getting this while trying to do initial register

[InvalidArgumentException]
Resource type ""key-change"" is not supported by the ACME server (supported
: "new-reg", "recover-reg", "new-authz", "new-cert", "revoke-cert", "reg",
"authz", "challenge", "cert")

Hi there,

I noticed ResourceDirectory.php includes a RECOVER_REGISTRATION resource for /recover-reg.

You should be able to delete this outright. It doesn't look like this constant is used anywhere outside of the directory. It also isn't present in the latest ACME draft specifications and isn't implemented by Boulder/Let's Encrypt.

Thanks!

I've got the certificate for an unqualified domain setup then later tried to add a subdomain. I received this error:

Requesting first certificate for domain ********* ...

[AcmePhp\Core\Exception\Server\UnauthorizedServerException]
[unauthorized] The client lacks sufficient authorization: Error creating new cert :: Authorizations for these names not found or expired: ********* (on request "POST https://acme-v01.api.letsencrypt.org/acme/new-cert")

[GuzzleHttp\Exception\ClientException]
Client error: POST https://acme-v01.api.letsencrypt.org/acme/new-cert resulted in a 403 Forbidden response:
{
"type": "urn:acme:error:unauthorized",
"detail": "Error creating new cert :: Authorizations for these names not fo (truncated...)

Any tips on how to debug this? Thank you!!

When authorizing (or doing any command) with a domain where we already created a certificate, the following message is printed to the command line on every command, for example:

Command: php acmephp.phar authorize -s http brucht.me

Output:
~~
Loading account key pair...
Requesting an authorization token for domain brucht.me ...

[InvalidArgumentException]
Resource type ""key-change"" is not supported by the ACME server (supported: "new-reg", "recover-reg", "new-authz", "new-cert", "revoke-cert", "reg", "authz", "challenge", "cert")

authorize [-s|--solver SOLVER] [--]
~~

I already tried to debug the current release, but I can't seem to find out where a request with the resource type key-change is actually fired and why it's fired.

I have exactly 10 days left before around 100 client certificates are going to expire, so any help with debugging this would be greatly appreciated.

Hi, i'm Using beta4 and have the Same Issue for the second time:

[AcmePhp\Core\Exception\Server\UnauthorizedServerException]
 [unauthorized] The client lacks sufficient authorization: Error creating new cert :: authorizations 
for these names not found  or expired: mydomain.de, www.mydomain.de 
(on request "POST https://acme-v01.api.letsencrypt.org/acme/new-cert")

[GuzzleHttp\Exception\ClientException]
 Client error: `POST https://acme-v01.api.letsencrypt.org/acme/new-cert` resulted in a `403 Forbidden` response:
 {
   "type": "urn:acme:error:unauthorized",
   "detail": "Error creating new cert :: authorizations for these names not fo (truncated...)

The domains will expire in 1week. I'm using the following Syntax in the daily cron:

php /root/acmephp.phar request mydomain.de -a www.mydomain.de -q

I'm Missing something? It doesn't make fun to authorize > 20domains every 3month,...

It would be awesome idea, to allow us to store auth files that need to be created on FTP to file. Currently I haven't found command for it. So I can create all files, upload them via FTP and then run acmephp.phar check on domains.
Thanks in advance

Would be a good way to simplify set-up as the initial account authorization has already been established.

Certbot directory is /etc/letencrypt.

Can you add option to store / retrieve the conf and key pairs from a different location than the default ~/.acme/?

Hello.

The last release is 1 year old. And I have some issue with it. I would like to try a new version but there are release. Could you release it please ?

Thanks.

Hi,
I have site secured by the CloudFlare DNS and it provides its own ssl certificate that handles communication from client to DNS/CloudFlare. But communication from CF to server is not encrypted so CF offers free SSL certificate(or you can upload your own) for this purpose. I have opted for the free one(since it can be valid for 15 years it you like = no hassle with updating LE). I am trying to put it into my system that handles proxying and other stuff and the CertificateParser class will fail to parse the certificate because of missing issuer[CN] value.

So I am wondering who got this wrong - the parser or the issuer?

Hi guys,

we have a problem to renew certificates, because we get an authorization errors.
The real issue is that let's encrypt has changed (in January) the expire date of the authorization challenges from 60days to 30days (according to this: https://community.letsencrypt.org/t/upcoming-api-changes/17947).

Acutally, let's encrypt send us an email 10days before our certificate expire, but if we renew the certificate only 10days before with acmephp we get an error saying that we don't have authorization.
So we need to re-run the whole authorization process and get a new certificate.

You can try to see your active authorization in .acmephp/master/private/yourdomain.com/authorization_challenge.json.
Try to make a request to the url that you find in the "url" key: if you get a 404, you need to re-run the authorization, otherwise, you can make a renew.

What we can do?
Run the renew each month, when the authorization is still valid.

It's sound strange that let's encrypt (with 100.000.000 certs) can't get an authorization more than 30days, but I think that the problem we got to renew a certificate is this one.

I have the following code in .acmephp/acmephp.conf

monitoring:
    slack:
        token: xxxxxxxxxx
        channel: #general
        #username: Acme PHP
        #level: info      # By default, on every CRON for slack handler

When executing the monitoring Test i get:

root:~# php -f acmephp.phar monitoring-test
Loading monitoring configuration...


  [AcmePhp\Cli\Exception\AcmeCliException]
  The Slack channel (key "channel") is required in the slack monitoring alert handler.


monitoring-test [<level>]

I'm using Version: Acme PHP - Let's Encrypt client 1.0.0-dev

I am unable to renew the certificates on my 2 domains. One has already expired, the other is about to. I updated to the beta-2 and reran the commands with no luck. The cert files and such are also not being updated. Any idea what I could be doing wrong here?

http://i.imgur.com/jWAagJl.png

I'm trying to use this software on Windows Server (unfortunately) and when running the following command I get an exception I can't figure out.

php acmephp.phar register [email protected]

Which throws out the following output.

No account key pair was found, generating one...


  [AcmePhp\Ssl\Exception\KeyPairGenerationException]
  OpenSSL key creation failed during generation with error: error:02001003:sy
  stem library:fopen:No such process


register [--agreement AGREEMENT] [--] [<email>]

Let's Encrypt has released their staging environment for ACME v2 (including wildcard certificates): https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605

Are there plans to support v2 with this project?

Acmephp breaks after new letsencrypt v2 changes for all v2 requests.

According to - https://community.letsencrypt.org/t/acmev2-order-ready-status/62866

As of Tuesday, June 19th the Staging ACMEv 2 endpoint returns Order objects with "status":"ready" when all of the order’s authorizations have "status" equal to "valid". As of Thursday, July 5th this change is also in effect for the production ACME v2 endpoint

Please ensure your ACME v2 client does not error in the presence of this new order status value, or depend on order objects remaining in the “pending” status when all of the authorizations are status “valid”.

If someone would request certificate, this is the error they would get (because of this condition)-

In AcmeClient.php line 245:

PHP Fatal error:  Uncaught AcmePhp\Core\Exception\Protocol\CertificateRequestFailedException: Certificate request failed (response: The order h
as not been validated) 

I tested and fixed it by modifying

        if ('pending' === $response['status']) {

to

        if ('ready' === $response['status']||'pending' === $response['status']) {

because the response is no longer 'pending' but has now become 'ready'. So due to the old if condition it was unable to go in and execute the finalize request.

After the above modification it works for my use case(I don't know if it would work for all use cases).

Hence I request you to make these changes ASAP wherever required. Or give me a direction, (as I am fairly new to letsencrypt) if other changes will have to be made apart from the one I did. I would love to contribute and send a PR.

ECDSA certificate signing is a completed feature of Let's Encrypt as of February, and ECDSA intermediates are expected by April 2017. Do you plan on making ECDSA certificate signing an option in the beta release?

I've gone through all the steps and seems to have worked fine, except I'm missing the private.pem file. Confirmation message says:

This certificate is valid from now to 2017-06-27T12:17:00+0000.

5 files were created in the Acme PHP storage directory:

    * /root/.acmephp/master/private/redacted.co.uk/private.pem contains your domain private key (required in many cases). 

    * /root/.acmephp/master/certs/redacted.co.uk/cert.pem contains only your certificate, without the issuer certificate.
      It may be useful in certains cases but you will probably not need it (use fullchain.pem instead).

    * /root/.acmephp/master/certs/redacted.co.uk/chain.pem contains the issuer certificate chain (its certificate, the
      certificate of its issuer, the certificate of the issuer of its issuer, etc.). Your certificate is
      not present in this file.

    * /root/.acmephp/master/certs/redacted.co.uk/fullchain.pem contains your certificate AND the issuer certificate chain.
      You most likely will use this file in your webserver.

    * /root/.acmephp/master/certs/redacted.co.uk/combined.pem contains the fullchain AND your domain private key (some
      webservers expect this format such as haproxy).

ls -l says:

-rw------- 1 root root 2147 Mar 29 13:17 cert.pem
-rw------- 1 root root 1647 Mar 29 13:17 chain.pem
-rw------- 1 root root 7066 Mar 29 13:17 combined.pem
-rw------- 1 root root 3794 Mar 29 13:17 fullchain.pem

Hi there,

Rather than using the phar, I am running the bin/acme file - but as-is it fails unless I tell it to look one directory higher for the composer autoload file like this:

$autoload = [
    __DIR__.'/../../../autoload.php',

because after a composer install, the folder structure will be: vendor/acmephp/acmephp/bin , making bin need to look 3 folders up to be in vendor to then find autoload.php.

Unless maybe I am doing something wrong?

Great work so far, thank you.

Hello,
The ./LICENSE file is outdated - its header should probably be:

Copyright (c) 2016-2018 Titouan Galopin
Copyright (c) 2016-2018 Jérémy Derussé

The convention is to include only significant contributors in the copyright header.

At https://acmephp.github.io/documentation/cli/get-certificate.html it says "This command will do four main things" even tho listed are only 3 things.

When calling
acmephp monitoring-test
I can see this output

Loading monitoring configuration...  
Triggering monitoring on "error" level...  
Triggered successfully  
You should have been alerted 

but no email is sent.

My acmephp.conf (monitoring part) is the following:

###################################################################
# Monitoring
#
# This section let you configure a simple monitoring mechanism that
# will warn you if an error occurs during a CRON job.
#

#monitoring: ~   # Monitoring is disabled by default

# You can enabled it by configuring at least one alert handler.
# You can change the default handler level to decide when to be alerted
# (only when an error occurs or every time the CRON is started).
monitoring:
    email:
        to: [email protected]
        host: smtp.xxxxxxx.xxxx
        port: 587
        username: userxxxx
        password: passxxxx
        subject: Error during Acme PHP CRON renewal
        encryption: TLS
        level: info
#
#    slack:
#        token: your_token
#        channel: general   # Channel name without hashtag
#        # username: Acme PHP
#        # level: info      # By default, on every CRON for slack handler

How can i test email error/info monitoring?
With the 'info' level setting, commands like theese

acmephp check -s http domain.xxxxx
acmephp request domain.xxxxx
acmephp request --force domain.xxxxx

should generate email report?
Thanks for your support.

Everything looks fine in the CLI output...

$ php acmephp.phar --version
Acme PHP - Let's Encrypt client version 1.0.0-beta2

$ php acmephp.phar -n -v request art-und-weise.org -a www.art-und-weise.org
Loading account key pair...
Current certificate will expire in less than a week (2016-12-25 14:07:00), renewal is required.
Loading domain key pair...
Loading domain distinguished name...
Renewing certificate for domain art-und-weise.org ...

... however, the certs remain untouched:

$ ll .acmephp/master/certs/art-und-weise.org/
total 28
drwxr-s---+ 2 vm-admin www   76 26. Sep 15:40 .
drwxr-s---+ 4 vm-admin www   60 24. Okt 17:19 ..
-rw-------+ 1 vm-admin www 2179 26. Sep 17:07 cert.pem
-rw-------+ 1 vm-admin www 1647 26. Sep 17:07 chain.pem
-rw-------+ 1 vm-admin www 7098 26. Sep 17:07 combined.pem
-rw-------+ 1 vm-admin www 3826 26. Sep 17:07 fullchain.pem

... whereas distinguished_name.json is loaded:

$ ll .acmephp/master/private/art-und-weise.org/
total 28
drwxr-s---+ 2 vm-admin www  106 26. Sep 15:40 .
drwxr-s---+ 8 vm-admin www 4096 24. Okt 17:10 ..
-rw-------+ 1 vm-admin www  414 26. Sep 12:39 authorization_challenge.json
-rw-------+ 1 vm-admin www  286 20. Dez 16:59 distinguished_name.json
-rw-------+ 1 vm-admin www 3272 26. Sep 15:39 private.pem
-rw-------+ 1 vm-admin www  800 26. Sep 15:39 public.pem

My environment:

$ php --version
PHP 5.5.38-pl0-gentoo (cli) (built: Dec  5 2016 13:22:50) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

When testing with beta-3, I received:

Loading account key pair...  
Current certificate will expire in less than a week (2016-12-25 14:07:00), renewal is required.  
Loading domain key pair...  
Loading domain distinguished name...  
Renewing certificate for domain art-und-weise.org ...  

  [AcmePhp\Core\Exception\Server\UnauthorizedServerException (403)]                                                                                                                                                           
  [unauthorized] The client lacks sufficient authorization: Error creating new cert :: Authorizations for these names not found or expired: art-und-weise.org, www.art-und-weise.org (on request "POST https://acme-v01.api.
letsencrypt.org/acme/new-cert") 

What can be done to avoid an unpleasant christmas surprise? Thanks for your support.