Let’s Encrypt ACMEv1 EOL
Published June 2, 2021
I’ve been getting emails for a while about the Let’s Encrypt ACMEv1 API being deprecated in favor of the newer ACMEv2. And naturally, because that deadline happened yesterday, it’s now in my personal priority queue. 😉
For me, I happened to be on version 0.4.1
of letsencrypt
(obtained via letsencrypt --version
) which is an incredibly old version dating back to the initial provisioning of that VM back in late 2016. Modern distros use the certbot
package which installs a letsencrypt
binary for backwards compatibility. Most documentation from the past few years will almost exclusively reference certbot
, though.
The quick-ish fix for me was an apt-get dist-upgrade
to bring the letsencrypt
into the modern-ish age. Naturally, I found this solution via community.letsencrypt.org: https://community.letsencrypt.org/t/version-upgrade/84104
I did a half-baked verification by running sudo letsencrypt renew --dry-run
and skimming the output. I’m going to keep my root crontab
untouched with the same letsencrypt renew
running weekly. I’m not sure if that’s strictly necessary as certbot
appears to have registered a timed service which may already do what I’m looking for. I listed my timed services with systemctl list-timers
and noted the certbot.service
.
If my efforts totally failed I’ll do my best to try to document any steps I needed to take. Otherwise, I’ll keep my fingers crossed over the next two months (as certs begin to enter the 30 days until expiration) that all is well.
2021/06/14 Update: it required more finessing. After inspecting a .gz
-d log with zcat
, I noticed there were still errors. Following the logs, I tracked it down to the server
key in each /etc/letsencrypt/renewal/$domain.conf
file was referencing the old ACMEv1 URL. Here’s how I fixed that:
cd /etc/letsencrypt/renewal
sudo sed -i -e 's@server = https://acme-v01@server = https://acme-v02@g' *.conf