Let's Encrypt is in the process of shutting down their ACMEv1 endpoint as described at End of Life Plan for ACMEv1. The vast majority of Certbot users have already transitioned off of ACMEv1 and do not have do anything; however, if your Certbot install is continuing to use ACMEv1, this post is for you.
Step 1: Ensure you have an updated version of Certbot
The easiest way to do this is to follow the installation instructions at Certbot - Certbot Instructions.
In particular, you want to make sure you have Certbot 1.6.0+ or an OS package that has had the changes from Certbot 1.6.0 backported to it. The following python3-certbot packages have backported fixes and can be used instead of Certbot 1.6.0 if desired:
| Distribution | Minimum fixed version |
|---|---|
| Ubuntu 18.04 (Bionic) | 0.27.0-1~ubuntu18.04.2 |
| Ubuntu 20.04 (Focal) | 0.40.0-1ubuntu0.1 |
| Debian 9 (Stretch) | 0.28.0-1~deb9u3 |
| Debian 10 (Buster) | 0.31.0-1+deb10u1 |
| Deprecated Certbot PPA | 0.31.0-2~deb10u1+ubuntuXX.04.1+certbot+3 |
If you installed Certbot through one of these sources, make sure your package is up-to-date. You can check your installed version with a command like dpkg-query -l python3-certbot.
If you installed Certbot through another source and certbot --version outputs a version number older than 1.6.0, you'll need to find a different way to install Certbot. I'd recommend checking out the link above.
Step 2: Make sure you're not explicitly requesting ACMEv1
It is unlikely that many people did this. However, I'm documenting this just in case for completeness. If you're explicitly requesting Certbot use ACMEv1, you need to stop doing that in order for it to switch to ACMEv2.
First, if you have any scripts, cron jobs, systemd services, etc. running Certbot, make sure they are not setting the --server command line option.
Second, make sure that the server option is not set in Certbot's configuration files. You can check for this by running the following two commands:
grep -l "server.*acme-v01" ${XDG_CONFIG_HOME-~/.config}/letsencrypt/cli.ini 2>/dev/null
sudo sh -c 'grep -l "server.*acme-v01" /etc/letsencrypt/cli.ini ${XDG_CONFIG_HOME-~/.config}/letsencrypt/cli.ini 2>/dev/null'
If either command outputs a filename, you should update that file to stop specifying the ACMEv1 server.
Step 3: Ask for help if you continue to use ACMEv1
If after following these steps you continue to receive emails from Let's Encrypt for using ACMEv1 or are being affected by ACMEv1 brownouts, create a new thread to ask for help.
