Let’s Encrypt ACMEv1 EOL
Published June 2, 2021
I’ve been getting emails for a while about the Let’s Encrypt ACMEv1 API being deprecated in favor of the newer ACMEv2. And naturally, because that deadline happened yesterday, it’s now in my personal priority queue. 😉
For me, I happened to be on version 0.4.1 of letsencrypt (obtained via letsencrypt --version) which is an incredibly old version dating back to the initial provisioning of that VM back in late 2016. Modern distros use the certbot package which installs a letsencrypt binary for backwards compatibility. Most documentation from the past few years will almost exclusively reference certbot, though.
The quick-ish fix for me was an apt-get dist-upgrade to bring the letsencrypt into the modern-ish age. Naturally, I found this solution via community.letsencrypt.org: https://community.letsencrypt.org/t/version-upgrade/84104
I did a half-baked verification by running sudo letsencrypt renew --dry-run and skimming the output. I’m going to keep my root crontab untouched with the same letsencrypt renew running weekly. I’m not sure if that’s strictly necessary as certbot appears to have registered a timed service which may already do what I’m looking for. I listed my timed services with systemctl list-timers and noted the certbot.service.
If my efforts totally failed I’ll do my best to try to document any steps I needed to take. Otherwise, I’ll keep my fingers crossed over the next two months (as certs begin to enter the 30 days until expiration) that all is well.
2021/06/14 Update: it required more finessing. After inspecting a .gz-d log with zcat, I noticed there were still errors. Following the logs, I tracked it down to the server key in each /etc/letsencrypt/renewal/$domain.conf file was referencing the old ACMEv1 URL. Here’s how I fixed that:
cd /etc/letsencrypt/renewal
sudo sed -i -e 's@server = https://acme-v01@server = https://acme-v02@g' *.conf