Currently no Let's encrypt certificates for NixOS because of deprecated ACMEv1

I noticed today, that I cannot activate a new domain for Let’s encrypt on NixOS. I reported this bug to them on GitHub: https://github.com/NixOS/nixpkgs/issues/72571

I see that this is related to the deprecation of the ACMEv1 API. The interesting thing to see for me was, that I have other let’s encrypt certificates on the same host already, so I thought a new account wouldn’t be used. NixOS seems to request a new account anyway and therefore getting a certificate for a new domain on this host doesn’t work at the moment.

Hi @mawis

isn’t there an update of that client?

Read

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/8

ACME v1 is deprecated. So if you want to use Letsencrypt certificates, switch to v2.

Or check, if you can use another client.

Perhaps with another Linux-system and dns-validation. And with a manual copy of the certificate. Not good, but better than a broken certificate.

The client used (simp_le-client-0.9.0) is rather old. However, it seems it uses the python ACME client library under the hood. So it probably does support ACMEv2 already.

It also seems simp_le has the --server option. So here are two options:

  • upgrade simp_le-client to a version ≥0.15.0 (from that version onwards, Let's Encrypt ACMEv2 server was the default ACME server)
  • add a --server option with LE's ACMEv2 endpoint as value.

@mawis it seems simp_le-client version 0.16.0 is in NixOS repository: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/simp_le/default.nix

Hmm, it seems you need to run NixOS 19.09 at minimum, NixOS 19.03 only sports simp_le 0.9.0 indeed...

1 Like

Thanks for the comments. I got it working now. Actually NixOS already did upgrade simp_le from 0.9.0 to 0.16.0 already on (/not before) 2019-10-17. But after updating my Nix channel with nix-channel --update (something similar to apt-get update) it updated simp_le and I got the certificate.

Sorry for the confusion and thanks for the help.

1 Like

19.03 is already end of support since yesterday. So probably isn’t no big problem, that this isn’t updated.

I didn’t notice that I haven’t updated my channel the last two weeks, or actually I thought I had. This server I had the problem with is managed remotely so I don’t have to do these updates there manually (normally).

So I guess there is no real problem, it my own fault.

Ah, thanks, good to know. And happy to read that you have now a working v2 client - :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.