On September 15, 2022, we will require TLS 1.2 or better for all ACME API connections. This is in addition to the requirement we recently announced for TLS 1.2 or better during validations (that is, for outbound connections from our servers).
We estimate this change will affect 0.008% of certificate issuances. We'll send out emails to affected users who have provided an email address.
If you have questions about these changes, please post them in this forum thread to get support from the Let’s Encrypt community and staff.
Our Staging environment now reflects this change and can be used for testing applicable updates to your client. If you attempt to connect to https://acme-staging-v02.api.letsencrypt.org with TLS 1.0 or 1.1 you will get the following message:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "upgrade your ACME client to support TLSv1.2 or better",
"status": 400
}
This change is now complete in our production environment. If you attempt to connect to the Let's Encrypt API with TLS 1.0 or 1.1, you will get the following message:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "upgrade your ACME client to support TLSv1.2 or better",
"status": 400
}
In 2022, we started returning an error message to TLS 1.0 and 1.1 requests. We will now stop supporting TLS 1.0 and 1.1 entirely, so clients will get a more obscure error. For example, clients using OpenSSL may get an error like "SSL routines::no protocols available".
This change has been made in staging already, and will be made in production tomorrow.
We expect this to have no impact, as these old TLS protocols are already unsupported.