ACMEv1 deprecation e-mails

FYI, we are about to begin sending these e-mails to Let’s Encrypt subscribers who are likely to be affected by ACMEv1 deprecation:

Hi,

According to our records, the software client you’re using to get Let’s
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Your client’s IP address was:

[ip]

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you’re unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don’t know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there’s an existing solution for your question. If there isn’t, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

As a reminder: In the future, Let’s Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you’re working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let’s Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don’t publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let’s Encrypt

10 Likes

I just received one of these emails requiring action after years of seamless, effortless updates to 2 certificates for websites I maintain.
This is fantastic, Thanks! …

However I am now faced with an upgrade and hopefully, not break anything. As a user of the Letsencrypt “recommended client” certbot, I was a bit disappointed that the information in provided links in the email don’t provide simple clear set of instructions for common situations like outdated client and how to test after upgrade. Seems like there should be a searchable page on the forum at least. [tag:certbot] [tag:acmev1] [tag:acmev2] I will be opening a forum help request I guess.

It seems to me that there is a lot of extraneous information in the email ( like validation addresses ), when the focus should be on facilitating the client updates.

Thanks for all your great work!

2 Likes

maybe we can add user agent of client used, so end users have better idea of what kind of client that still use ACMEv1?

4 Likes

Is it possible to provide the name of the actual certificate requested?

The [ip] only contains an IPv6 privacy address which has already rotated, so I don’t have any idea of which computer this could have come from to update… could have been any of a number of PCs running various versions of software.

Even the time of the last request would be helpful…

7 Likes

Please include the domain involved? I have dozens of certificates, on servers with ipv4 addresess and all this gave me was an ipv6 address which I can’t match anywhere. These certs are given to domains, so that should at least be possible to add to the email?! I have no idea where to start.

3 Likes

Hello,
i recently got an email for the same. I am new to acme so, I am having trouble finding how to upgrade acme v1 to acme v2.
It would be really great if someone would help me out on how to upgrade acme, from version 1 to version 2.

1 Like

Hi James, I got the email but it includes an IP that I have never used and I’m only running certbot in ACMEv2 mode.

The ISP referenced is 173.80.176.28 which according to ARIN is owned by SuddenLink ISP. My single host that requests LE certs is running Ubuntu 18.04 and is a stationary system on a different ISP with a static IP address.

@wwalltt Is it plausible that someone might have entered your email address by accident? E.g. if it’s <extremely common name>@gmail.com or something.

Thanks for your feedback, everyone! The next batch of e-mails is in progress. They now include a sample client IP address, user agent, hostname list, and timestamp from each ACME account.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.