End of Life Plan for ACMEv1

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555. We have been encouraging subscribers to move to the ACMEv2 protocol.

Today we are announcing an end of life plan for ACMEv1.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.

Starting at the beginning of 2021 we will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month (OCSP service will not be affected). The intention is to induce client errors that might encourage subscribers to update to clients or configurations that use ACMEv2. Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.

In June of 2021 we will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.

We would like to remind people reading this about an upcoming change to our ACMEv2 support. Starting in November 2020 we will no longer allow unauthenticated resource GETs when using ACMEv2.

15 Likes
How to change activator
ACME v1 End of Life concern
Action required: Let's Encrypt client problem - acmetool
Still receiving "Action required: Let's Encrypt certificate renewals" emails with older version
Important notice to ACME Client developers regarding ACME v1 deprecation
ACMEv1 to ACMEv2
How to upgrade ACMEv1 to ACMEv2
My Letsencrypt certificate fails to renew randomly
Ubuntu 14.04 with Certbot version 0.17.0
Not able to renew my certs
Synology / Let's Encrypt certificate - Failed to connect to Let's Encrypt. Please make sure the domain is correct
Installing Certificates for Let's Encrypt using ACME on Azure
Openresty lua fails to renew / re-issue
Kube-lego certificates
ACMEv1 question for letsencrypt-express client
ACME v1 end of life and subdomains
LE64.exe not deleting challenge file
ACME v1 End of Life concern due to stale API libaries
What happens if I don't update the certificate?
Cannot upgrade from ACMEv1 to ACMEv2 protocol
Azure Let's Encrypt
How could I change Root Directory with command
Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
Acme.sh standalone Ading a secondary subdomain same public ip
Acme.sh standalone Ading a secondary subdomain same public ip
Update your client software to continue using Let's Encrypt
How request www and non-www in one request
Cannt install letsencrypt for Debian 8
Solution to ACMEv2 Errors since upgrade?
Is it possible to use certbot on fedora 23?
ACMEv1 renewals EOL
Acme.sh will not issue, says I am using verson 1 when I am using version 2
Adding domainnames (Alt Domain) with acme.sh
Certificate renew on old Debian OS
Certbot 1.2.0 but Acme V1 Errors?
How to upgrade ACMEv2 please help?
Error 403 "type": "urn:acme:error:unauthorized"
ACME v1/v2: Validating challenges from multiple network vantage points
ACMEv1 deprecation e-mails
Let's Encrypt Failing to Renew
Vigor2960 [handle_reg_response] The same ip registered too many times
Error in Requesting a certificate with Virtualmin
Failed to create certificate order: Failed to begin certificate order
Create certificate on Windows server using ACMEv2
'JWS has no anti-replay nonce' issue on Ubuntu 18.04
Let’s Encrypt Expiry Bot

In preparation for the production turn down of ACME v1 we are planning to disable new ACME v1 registrations in the staging environment during the following dates of this year.

  • August 6th to August 7th

  • August 13th to August 15th

  • August 27th to Sept 3rd

We will be permanently disabling new ACME v1 registrations in the staging environment on October 1st.

As a reminder in November we will disabling ACME v1 registrations in the production environment as well. Please use these progressively longer staging brown-outs to verify that your organization will not be affected by the start of the production ACME v1 end of life in November. We will announce similar brown-out dates for production in the near future.

We’ve made a public Google calendar with these dates and other scheduled ACME API events that may be helpful to others.

Thanks!

8 Likes

Reminder that tomorrow will be the end of new ACME v1 registrations in the staging environment.

We will be beginning brown-outs for new ACME v1 registrations for the production environment for the following dates of this year:

  • October 10th to October 11th
  • October 16th to October 18th
  • October 31st onward

We will be permanently disabling new ACME v1 registrations in the production environment on October 31st.

The Google calendar of scheduled ACME events will be updated accordingly.

Thanks!

5 Likes

The first of the production brownouts for new ACMEv1 registrations has begun. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

4 Likes

The second production brownout for new ACMEv1 registrations has begun.

3 Likes

The second production brownout for new ACMEv1 registrations has ended. Please be aware that October 31st onward we will be permanently disabling new ACMEv1 registrations per the End of Life Plan for ACMEv1.

2 Likes

With input from our community, we have decided to move out the turn-off date for new ACMEv1 registrations to November 8, 2019. As of November 8, all new accounts will need to be created via ACMEv2.

We’re going to use the original date of November 1, 2019 as another 1-day brownout period. We’ll disable new ACMEv1 registrations on November 1, then re-enable them on November 2 before finally turning them off altogether on November 8. Hopefully this will give a little more time to update any implementations that are lagging.

As a reminder, you can continue using your same ACMEv1 account ID for ACMEv2 and existing rate limit adjustments will still apply (assuming you have requested and received a rate limit adjustment).

We’ve updated our public Google calendar accordingly. Please subscribe to the API Announcements category for future updates.

4 Likes

As planned, we will be turning off ACMEv1 validations for new domains during the month of June. We will be following the schedule below for disabling new ACMEv1 validations.

  • May 13th: Permanently disable staging new validations.

  • June 1st: Disable production new validations for 24 hours.

  • June 9th: Disable production new validations for 24 hours.

  • June 17th: Disable production new validations for 48 hours.

  • June 24th: Disable production new validations for 72 hours.


  • July 2nd: Permanently disable production new validations.

Please use these progressively longer production brown-outs to verify that your organization will not be affected.

We’ve updated the public Google calendar with these dates and other scheduled ACME API events that may be helpful.

Thanks!

9 Likes

We have disabled staging ACMEv1 validations for new domains.

7 Likes