End of Life Plan for ACMEv1

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555. We have been encouraging subscribers to move to the ACMEv2 protocol.

Today we are announcing an end of life plan for ACMEv1.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.

Starting at the beginning of 2021 we will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month (OCSP service will not be affected). The intention is to induce client errors that might encourage subscribers to update to clients or configurations that use ACMEv2. Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.

In June of 2021 we will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.

We would like to remind people reading this about an upcoming change to our ACMEv2 support. Starting in November 2020 we will no longer allow unauthenticated resource GETs when using ACMEv2.

17 Likes

In preparation for the production turn down of ACME v1 we are planning to disable new ACME v1 registrations in the staging environment during the following dates of this year.

  • August 6th to August 7th

  • August 13th to August 15th

  • August 27th to Sept 3rd

We will be permanently disabling new ACME v1 registrations in the staging environment on October 1st.

As a reminder in November we will disabling ACME v1 registrations in the production environment as well. Please use these progressively longer staging brown-outs to verify that your organization will not be affected by the start of the production ACME v1 end of life in November. We will announce similar brown-out dates for production in the near future.

We’ve made a public Google calendar with these dates and other scheduled ACME API events that may be helpful to others.

Thanks!

9 Likes

Reminder that tomorrow will be the end of new ACME v1 registrations in the staging environment.

We will be beginning brown-outs for new ACME v1 registrations for the production environment for the following dates of this year:

  • October 10th to October 11th
  • October 16th to October 18th
  • October 31st onward

We will be permanently disabling new ACME v1 registrations in the production environment on October 31st.

The Google calendar of scheduled ACME events will be updated accordingly.

Thanks!

7 Likes

The first of the production brownouts for new ACMEv1 registrations has begun. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

6 Likes

The second production brownout for new ACMEv1 registrations has begun.

5 Likes

The second production brownout for new ACMEv1 registrations has ended. Please be aware that October 31st onward we will be permanently disabling new ACMEv1 registrations per the End of Life Plan for ACMEv1.

4 Likes

With input from our community, we have decided to move out the turn-off date for new ACMEv1 registrations to November 8, 2019. As of November 8, all new accounts will need to be created via ACMEv2.

We’re going to use the original date of November 1, 2019 as another 1-day brownout period. We’ll disable new ACMEv1 registrations on November 1, then re-enable them on November 2 before finally turning them off altogether on November 8. Hopefully this will give a little more time to update any implementations that are lagging.

As a reminder, you can continue using your same ACMEv1 account ID for ACMEv2 and existing rate limit adjustments will still apply (assuming you have requested and received a rate limit adjustment).

We’ve updated our public Google calendar accordingly. Please subscribe to the API Announcements category for future updates.

6 Likes

As planned, we will be turning off ACMEv1 validations for new domains during the month of June. We will be following the schedule below for disabling new ACMEv1 validations.

  • May 13th: Permanently disable staging new validations.

  • June 1st: Disable production new validations for 24 hours.

  • June 9th: Disable production new validations for 24 hours.

  • June 17th: Disable production new validations for 24 hours.

  • June 24th: Disable production new validations for 72 hours.


  • July 2nd: Permanently disable production new validations.

Please use these progressively longer production brown-outs to verify that your organization will not be affected.

We’ve updated the public Google calendar with these dates and other scheduled ACME API events that may be helpful.

Thanks!

11 Likes

We have disabled staging ACMEv1 validations for new domains.

9 Likes

We have disabled ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

6 Likes

We have ended the brownout earlier than scheduled. ACMEv01 New Validations are now available again in Production.

The next brownout will be June 9th.

4 Likes

We are disabling ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

3 Likes

We are disabling ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

4 Likes

We have permanently disabled ACMEv1 Validations for New Domains in Production.

12 Likes

In preparation for the full shut-off of the ACMEv1 API in June 2021, we will have occasional ACMEv1 issuance and renewal brown-outs each month. The schedule below outlines our plan and our API announcements calendar is updated accordingly.

We previously indicated that these brown-outs would be once a month and not more than 24 hours in length. We feel that schedule won't alert the greatest number of subscribers who use ACMEv1 so we have planned several brown-outs each month of increasing length covering various times of month and days of week. As stated in the original announcement, the intention is to induce client errors that encourage subscribers to update to clients or configurations that use ACMEv2.

Please use these progressively longer brown-outs to verify that your organization will not be affected when we entirely disable ACMEv1 as a viable way to get a Let's Encrypt Certificate.


January

  • Thursday, 14th (6 hours)
  • Tuesday, 26th (6 hours)

February

  • Wednesday, 10th - Thursday, 11th (24 hours)
  • Thursday, 25th - Friday, 26th (24 hours)

March

  • Monday, 15th - Tuesday, 16th (48 hours)
  • Wednesday, 24th - Thursday, 25th (48 hours)

April

  • Tuesday, 6th - Thursday, 8th (72 hours)
  • Friday, 23rd - Sunday, 25th (72 hours)

May

  • Thursday, 6th - Monday 10th (5 days)
  • Tuesday, 18th - Tuesday, 25th (7 days)

June

  • Tuesday, 1st - turn off completely

What about the Staging ACMEv1 API?

The Staging ACMEv1 API will be fully disabled on 26 March 2021. Until that date, it will undergo brownouts on the same schedule as the Production ones above.

17 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 6 hours.

Will update our status page maintenance window and this thread when the brownout is completed.

Please note, this brownout includes the Staging ACMEv1 API. We realized this endpoint was not listed in our original plans and have decided that Staging brownouts will occur in line with production until the end of March when we will fully disable ACMEv1 in Staging. The previous post has been updated with this information.

11 Likes

We have re-enabled the ACMEv1 API in Staging and Production. The next brownout will begin 2021-01-26.

We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

7 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 6 hours.

We will update our status page maintenance window and this thread when the brownout is completed.

6 Likes

We have re-enabled the ACMEv1 API in Staging and Production. The next brownout will begin 2021-02-10.

We won’t necessarily post here for each one.

6 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 24 hours.

We will update our status page maintenance window and this thread when the brownout has been completed.

8 Likes