Rejecting TLS 1.0 / 1.1 for inbound ACME connections

On September 15, 2022, we will require TLS 1.2 or better for all ACME API connections. This is in addition to the requirement we recently announced for TLS 1.2 or better during validations (that is, for outbound connections from our servers).

We estimate this change will affect 0.008% of certificate issuances. We'll send out emails to affected users who have provided an email address.

If you have questions about these changes, please post them in this forum thread to get support from the Let’s Encrypt community and staff.


Our Staging environment now reflects this change and can be used for testing applicable updates to your client. If you attempt to connect to with TLS 1.0 or 1.1 you will get the following message:

  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "upgrade your ACME client to support TLSv1.2 or better",
  "status": 400