Below are a pair of emails we intend to send soon. I'd like to get feedback from the community, as folks here often have ideas how to make things clearer or make sure we include all information.
Subject: Update your software before Sep 15 to avoid certificate expiration (TLS 1.1 deprecation)
Our records show that the software you use to get Let's Encrypt certificates uses TLS 1.0 or TLS 1.1. On September 15, 2022, we will require TLS 1.2 or better for all ACME API connections, and for any validation requests that redirect to HTTPS: https://community.letsencrypt.org/t/rejecting-tls-1-0-1-1-for-inbound-acme-connections/176107
We estimate this change will affect 0.008% of certificate issuances, including yours. Here are your affected hostnames and IP addresses:
<ip address 1>
<ip address 2>
<hostname 1>
<hostname 2>
To fix this problem, most likely you need to update your software to the latest version. In particular you may need to update OpenSSL if your Let's Encrypt client software or your web server supports that. In more unusual cases, you may need to change configuration to enable TLS 1.2 and above.
If you have questions about these changes, please post them here:
https://community.letsencrypt.org/t/questions-about-tls-1-0-1-1-deprecation-for-acme-requests/176106
Subject: Update your software before Sep 15 to avoid certificate expiration (SHA-1 CSR deprecation)
Our records show that the software you use to get Let's Encrypt certificates sends Certificate Signing Requests (CSRs) that use the SHA-1 hash algorithm. SHA-1 has been deprecated by NIST since 2011. Let's Encrypt is now fully removing support for this hash in CSRs, as of September 15, 2022: https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls/175144
.
We estimate that this change will affect 1.18% of certificate issuances, including yours. Here are your affected hostnames and IP addresses:
<ip address 1>
<ip address 2>
<hostname 1>
<hostname 2>
To fix this problem, most likely you need to update your software to the latest version. In particular, if you are using node-acme-client, you need to update to at least version 4.2.4.
If you have questions about these changes, please post them here: