Knowledge Base

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The Problem

LetsEncrypt is a free SSL provider that you can use to get free SSL certificates for your website and other web services. The older protocol that LetsEncrypt uses to issue SSL certificates - which they call ACMEv1 - is being phased out in favor of the newer ACMEv2 protocol. This is causing some applications that use LetsEncrypt ACMEv1 to create or renew SSL certificates to fail. For Vivio clients, this will mostly affect LetsEncrypt on Virtualmin servers. 

Timeline for LetsEncrypt to phase out ACMEv1

November 2019: LetsEncrypt will stop allowing new account registrations through their ACMEv1 API endpoint. Existing accounts will continue to function normally.

June 2020: Lets encrypt will stop allowing new domains to validate via ACMEv1.

Starting at the beginning of 2021:  LEts encrypt will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month.  The intention is to induce client errors that might encourage subscribers to update to clients or configurations that use ACMEv2.

June 2021: Lets Encrypt will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.

The error you get with ACMEv1

The following error is seen when trying to issue a new SSL.

#Error registering: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

The VirtualMin Fix

If you're using VirtualMin, the fix for this is to replace the old acme_tiny.py file that uses ACMEv1 with a new acme_tiny.py file that uses ACMEv2. The acme_tiny.py file is the script that VirtualMin uses to process LetsEncrypt SSL requests. The location of the acme_tiny.py file depends on the version of Linux that you're using. We'll cover both Ubuntu and CentOS below.

Ubuntu

The following commands back up the current acme_tiny.py file to /root/ and then downloads the new ACME v2 to the correct place. 

mv /usr/share/webmin/webmin/acme_tiny.py /root/acme_tiny.py && wget -O /usr/share/webmin/webmin/acme_tiny.py https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

Once you run this, you don't need to restart anything. You should be able to re-try the certificate request. If you still have problems, try the "Generic Fix" mentioned below...

CentOS

The following commands back up the current acme_tiny.py file to /root/ and then downloads the new ACME v2 to the correct place. 

mv /usr/libexec/webmin/webmin/acme_tiny.py /root/acme_tiny.py && wget -O /usr/libexec/webmin/webmin/acme_tiny.py https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

Once you run this, you don't need to restart anything. You should be able to re-try the certificate request. If you still have problems, try the "Generic Fix" mentioned below...

Generic Fix 

If the commands above did not work for you then you will need to locate your existing acme_tiny.py file with the following command. 

find / -name "acme_tiny.py"
Edit this command to make a backup of your existing acme_tiny.py file:
mv /path/to/acme_tiny.py /root/acme_tiny_old.py

Now download the new acme_tiny.py file and put it where you found the original.

wget -O /path/to/acme_tiny.py https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
That's all there is to it.

Additional Resources:

LetsEncrypt Announces End-of-Life for ACMEv1:

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

The original acme_tiny.py script:

https://github.com/diafygi/acme-tiny

Forum post at VirtualMin discussing other possible solutions:

https://www.virtualmin.com/comment/819921

  • No labels