More graceful handling of Subscriber Agreement changes

The 1.2 update of the Subscriber Agreement struck two words making the change a relaxation of terms. Yet, my acmetool-using cron job failed to renew certs, because I needed to do an interactive run in order to OK the new SA.

I have two suggestions:

  • The ACME spec indicates the server decides if agreeing to the old terms is still good enough. When the term change is a clear relaxation of terms, please make Boulder accept the cert request if it comes with indication of acceptance to the older stricter terms.

  • When sending out an expiration notice email such that the certificate that the notice is about has been obtained under an older SA than the current one, please mention this in the email as a potential explanation of why automatic renewal might have failed.

(The SA change itself seems like a good one. Thank you for that.)

The Let’s Encrypt Subscriber Agreement contains a clause that says you agree to any future changes they may make. Because of this, Let’s Encrypt does not use this feature of the ACME protocol that requires you agree to a new Subscriber Agreement when it is changed.

So the feature you want already exists. :grinning:. But…

And this is a known issue with acmetool. Hopefully they will fix it by the next update to the agreement. :wink:

[edited because I found the bug already existed after posting]

2 Likes

Hi @hsivoen,

As @Patches mentions (Thanks!) this is an issue with acmetool in particular. Subscriber agreement changes have no bearing on existing accounts/renewals from the perspective of Let’s Encrypt, just new accounts. You should not have to do an interactive agreement to renew an existing certificate with an existing account with the agreement URL changes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.