End of Life Plan for ACMEv1

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555. We have been encouraging subscribers to move to the ACMEv2 protocol.

Today we are announcing an end of life plan for ACMEv1.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.

Starting at the beginning of 2021 we will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month (OCSP service will not be affected). The intention is to induce client errors that might encourage subscribers to update to clients or configurations that use ACMEv2. Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.

In June of 2021 we will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.

We would like to remind people reading this about an upcoming change to our ACMEv2 support. Starting in November 2020 we will no longer allow unauthenticated resource GETs when using ACMEv2.

16 Likes
How to change activator
ACME v1 End of Life concern
Action required: Let's Encrypt client problem - acmetool
Important notice to ACME Client developers regarding ACME v1 deprecation
Still receiving "Action required: Let's Encrypt certificate renewals" emails with older version
How to upgrade ACMEv1 to ACMEv2
ACMEv1 to ACMEv2
Ubuntu 14.04 with Certbot version 0.17.0
My Letsencrypt certificate fails to renew randomly
Not able to renew my certs
Synology / Let's Encrypt certificate - Failed to connect to Let's Encrypt. Please make sure the domain is correct
Failed to create certificate order: Failed to begin certificate order
How to upgrade ACMEv1 to ACMEv2 compatibility
Installing Certificates for Let's Encrypt using ACME on Azure
Cannot upgrade from ACMEv1 to ACMEv2 protocol
Certbot debian 8
Acme.sh standalone Ading a secondary subdomain same public ip
Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
How could I change Root Directory with command
Paragon Internet Group t/a tsoHost UK - Lets Encrypt NOT Working?
Unexpected error
ACME v1 is still available
Acme v02 upgrade from v01
Acme v02 upgrade from v01
Upgrade letsencrypt from v1.9.11.1 to V2
Vicibox ,letsencrypt and viciphone
How to upgrade ACMEv1 to ACMEv2 compatibility
Https certificate not generating for Namecheap domain
Unable to connect to the remote server
Renovação de certificado ssl
Certbot is down after trying to upgrade using apt-get install --only-upgrade certbot
Troubleshooting a Certbot installation that continues to use ACMEv1
Failure with AuthorizationFailedException in
Expired certificad
Update to API V2 with acmetool
Account creation on ACMEv1 is disabled
Get certificate and renew not working
Issue with the lambda function for cert renewam
The server experienced an internal error :: ACMEv1 Brownout in Progress
Https://acme-v01.api.letsencrypt.org No access
Create certificate on Windows server using ACMEv2
LE64.exe not deleting challenge file
ACME v1/v2: Validating challenges from multiple network vantage points
Error in Requesting a certificate with Virtualmin
ACME v1 End of Life concern due to stale API libaries
Please help mail in box tls renew
Vigor2960 [handle_reg_response] The same ip registered too many times
ACMEv1 question for letsencrypt-express client
Let's Encrypt Failing to Renew
Kube-lego certificates
ACMEv1 deprecation e-mails
Openresty lua fails to renew / re-issue
Let’s Encrypt Expiry Bot
'JWS has no anti-replay nonce' issue on Ubuntu 18.04
Error 403 "type": "urn:acme:error:unauthorized"
How to upgrade ACMEv2 please help?
Certbot 1.2.0 but Acme V1 Errors?
Certbot not working
Azure Let's Encrypt
Kubelego - acme v1 api not working
Certbot debian 8
Certbot debian 8
Certificate renew on old Debian OS
The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API
Adding domainnames (Alt Domain) with acme.sh
Acme.sh will not issue, says I am using verson 1 when I am using version 2
ACMEv1 renewals EOL
Instruction for other unix not working
Will API V1 be activated today again (June 27th)?
Is it possible to use certbot on fedora 23?
Solution to ACMEv2 Errors since upgrade?
Cannt install letsencrypt for Debian 8
Certificate authority doesn't allow certificate signing
How request www and non-www in one request
What happens if I don't update the certificate?
ACME v1 end of life and subdomains
Update your client software to continue using Let's Encrypt
Acme.sh standalone Ading a secondary subdomain same public ip

In preparation for the production turn down of ACME v1 we are planning to disable new ACME v1 registrations in the staging environment during the following dates of this year.

  • August 6th to August 7th

  • August 13th to August 15th

  • August 27th to Sept 3rd

We will be permanently disabling new ACME v1 registrations in the staging environment on October 1st.

As a reminder in November we will disabling ACME v1 registrations in the production environment as well. Please use these progressively longer staging brown-outs to verify that your organization will not be affected by the start of the production ACME v1 end of life in November. We will announce similar brown-out dates for production in the near future.

We’ve made a public Google calendar with these dates and other scheduled ACME API events that may be helpful to others.

Thanks!

9 Likes

Reminder that tomorrow will be the end of new ACME v1 registrations in the staging environment.

We will be beginning brown-outs for new ACME v1 registrations for the production environment for the following dates of this year:

  • October 10th to October 11th
  • October 16th to October 18th
  • October 31st onward

We will be permanently disabling new ACME v1 registrations in the production environment on October 31st.

The Google calendar of scheduled ACME events will be updated accordingly.

Thanks!

6 Likes

The first of the production brownouts for new ACMEv1 registrations has begun. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

5 Likes

The second production brownout for new ACMEv1 registrations has begun.

4 Likes

The second production brownout for new ACMEv1 registrations has ended. Please be aware that October 31st onward we will be permanently disabling new ACMEv1 registrations per the End of Life Plan for ACMEv1.

3 Likes

With input from our community, we have decided to move out the turn-off date for new ACMEv1 registrations to November 8, 2019. As of November 8, all new accounts will need to be created via ACMEv2.

We’re going to use the original date of November 1, 2019 as another 1-day brownout period. We’ll disable new ACMEv1 registrations on November 1, then re-enable them on November 2 before finally turning them off altogether on November 8. Hopefully this will give a little more time to update any implementations that are lagging.

As a reminder, you can continue using your same ACMEv1 account ID for ACMEv2 and existing rate limit adjustments will still apply (assuming you have requested and received a rate limit adjustment).

We’ve updated our public Google calendar accordingly. Please subscribe to the API Announcements category for future updates.

5 Likes

As planned, we will be turning off ACMEv1 validations for new domains during the month of June. We will be following the schedule below for disabling new ACMEv1 validations.

  • May 13th: Permanently disable staging new validations.

  • June 1st: Disable production new validations for 24 hours.

  • June 9th: Disable production new validations for 24 hours.

  • June 17th: Disable production new validations for 24 hours.

  • June 24th: Disable production new validations for 72 hours.


  • July 2nd: Permanently disable production new validations.

Please use these progressively longer production brown-outs to verify that your organization will not be affected.

We’ve updated the public Google calendar with these dates and other scheduled ACME API events that may be helpful.

Thanks!

10 Likes

We have disabled staging ACMEv1 validations for new domains.

8 Likes

We have disabled ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

5 Likes

We have ended the brownout earlier than scheduled. ACMEv01 New Validations are now available again in Production.

The next brownout will be June 9th.

3 Likes

We are disabling ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

3 Likes

We are disabling ACMEv1 New Validations in Production. This brownout will last 24 hours. We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

3 Likes

We have permanently disabled ACMEv1 Validations for New Domains in Production.

12 Likes

In preparation for the full shut-off of the ACMEv1 API in June 2021, we will have occasional ACMEv1 issuance and renewal brown-outs each month. The schedule below outlines our plan and our API announcements calendar is updated accordingly.

We previously indicated that these brown-outs would be once a month and not more than 24 hours in length. We feel that schedule won't alert the greatest number of subscribers who use ACMEv1 so we have planned several brown-outs each month of increasing length covering various times of month and days of week. As stated in the original announcement, the intention is to induce client errors that encourage subscribers to update to clients or configurations that use ACMEv2.

Please use these progressively longer brown-outs to verify that your organization will not be affected when we entirely disable ACMEv1 as a viable way to get a Let's Encrypt Certificate.


January

  • Thursday, 14th (6 hours)
  • Tuesday, 26th (6 hours)

February

  • Wednesday, 10th - Thursday, 11th (24 hours)
  • Thursday, 25th - Friday, 26th (24 hours)

March

  • Monday, 15th - Tuesday, 16th (48 hours)
  • Wednesday, 24th - Thursday, 25th (48 hours)

April

  • Tuesday, 6th - Thursday, 8th (72 hours)
  • Friday, 23rd - Sunday, 25th (72 hours)

May

  • Thursday, 6th - Monday 10th (5 days)
  • Tuesday, 18th - Tuesday, 25th (7 days)

June

  • Tuesday, 1st - turn off completely

What about the Staging ACMEv1 API?

The Staging ACMEv1 API will be fully disabled on 26 March 2021. Until that date, it will undergo brownouts on the same schedule as the Production ones above.

17 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 6 hours.

Will update our status page maintenance window and this thread when the brownout is completed.

Please note, this brownout includes the Staging ACMEv1 API. We realized this endpoint was not listed in our original plans and have decided that Staging brownouts will occur in line with production until the end of March when we will fully disable ACMEv1 in Staging. The previous post has been updated with this information.

10 Likes

We have re-enabled the ACMEv1 API in Staging and Production. The next brownout will begin 2021-01-26.

We won’t necessarily post here for each one. Subscribe to the detailed status updates at https://letsencrypt.status.io if you’d like to be notified.

6 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 6 hours.

We will update our status page maintenance window and this thread when the brownout is completed.

5 Likes

We have re-enabled the ACMEv1 API in Staging and Production. The next brownout will begin 2021-02-10.

We won’t necessarily post here for each one.

5 Likes

We have disabled the ACMEv1 API in Staging and Production in line with our ACMEv1 deprecation plans. This brownout will last aproximately 24 hours.

We will update our status page maintenance window and this thread when the brownout has been completed.

7 Likes