Currently no Let's encrypt certificates for NixOS because of deprecated ACMEv1

I noticed today, that I cannot activate a new domain for Let’s encrypt on NixOS. I reported this bug to them on GitHub:

I see that this is related to the deprecation of the ACMEv1 API. The interesting thing to see for me was, that I have other let’s encrypt certificates on the same host already, so I thought a new account wouldn’t be used. NixOS seems to request a new account anyway and therefore getting a certificate for a new domain on this host doesn’t work at the moment.

Hi @mawis

isn’t there an update of that client?


ACME v1 is deprecated. So if you want to use Letsencrypt certificates, switch to v2.

Or check, if you can use another client.

Perhaps with another Linux-system and dns-validation. And with a manual copy of the certificate. Not good, but better than a broken certificate.

The client used (simp_le-client-0.9.0) is rather old. However, it seems it uses the python ACME client library under the hood. So it probably does support ACMEv2 already.

It also seems simp_le has the --server option. So here are two options:

  • upgrade simp_le-client to a version ≥0.15.0 (from that version onwards, Let’s Encrypt ACMEv2 server was the default ACME server)
  • add a --server option with LE’s ACMEv2 endpoint as value.

@mawis it seems simp_le-client version 0.16.0 is in NixOS repository:

Hmm, it seems you need to run NixOS 19.09 at minimum, NixOS 19.03 only sports simp_le 0.9.0 indeed

1 Like

Thanks for the comments. I got it working now. Actually NixOS already did upgrade simp_le from 0.9.0 to 0.16.0 already on (/not before) 2019-10-17. But after updating my Nix channel with nix-channel --update (something similar to apt-get update) it updated simp_le and I got the certificate.

Sorry for the confusion and thanks for the help.

1 Like

19.03 is already end of support since yesterday. So probably isn’t no big problem, that this isn’t updated.

I didn’t notice that I haven’t updated my channel the last two weeks, or actually I thought I had. This server I had the problem with is managed remotely so I don’t have to do these updates there manually (normally).

So I guess there is no real problem, it my own fault.

Ah, thanks, good to know. And happy to read that you have now a working v2 client - :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.