Let’s upgrade from ACME v1 to v2

Published in

The Sysadmin

2 min readMay 25, 2020

Once again, a new email from noreply@letsencrypt.org:

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

Did you also receive the above warning in your inbox? You probably generated your Let’s Encrypt certificates long time ago, using the (nowadays deprecated) ACMEv1 protocol.

I tried to fix this issue before, upgrading the Certbot client. But apparently it’s already the newest version (in my Ubuntu Xenial 16.04):

# sudo apt-get install --only-upgrade certbot
Reading package lists… Done
Building dependency tree 
Reading state information… Done
certbot is already the newest version (0.31.0–1+ubuntu16.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 9 not upgraded.

Sadly, it looks that upgrading to an ACMEv2 compatible client is not enough. You also may need to adapt some old configuration files. I’m surprised I didn’t find clear instructions to fix that, so here is how I solved the issue:

First of all, let’s check if there is any domain using the deprecated acme-v01 server:

sudo grep -R acme-v01 /etc/letsencrypt/renewal

In my case, I saw 4-5 domains using the old server URL:

server = https://acme-v01.api.letsencrypt.org/directory

The easiest way to update all these configuration files is executing the renew command, adding the special server parameter:

certbot renew --apache --agree-tos --force-renewal --server https://acme-v02.api.letsencrypt.org/directory

The above command will renew all your domains using the ACME-v02 server and it will even update the server URL in the renewal configuration files.

I hope it will help you!!

References:

Let’s upgrade from ACME v1 to v2

Written by Xabi