Upgrading to use ACME v2

[kylelee24]

I recently got an e-mail saying we are still using the ACME v1 protocol and that it would be deprecated by June 1st, 2020. After doing some research it looks like the client (this project) supports ACME v2 however it appears that once the ACME account key is registered, it will continue to use that going forward (made some assumptions from https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Let's-Encrypt-and-ACME.md).

Looking within my certs directory under certs/accounts/acme-v01.api.letsencrypt.org/directory/default.json, I can see my account is registered with ACME v1. I feel like the solution will be to delete this and restart my containers (or wait) however I couldn't find any details around this so want to be safe (and not lock out my domains).

[polarathene]

I have deleted the entire certs directory(backed up a copy just in case with rsync -a /location/to/bindmount/volume/directory/certs/ /location/to/backup/directory/certs, which will preserve file permissions and such).

Everything worked(docker-compose pull, didn't seem to update this image to the latest, docker pull jrcs/letsencrypt-nginx-proxy-companion did though), I now have a acme-v02.api.letsencrypt.org under certs/accounts/.

[buchdag]

After doing some research it looks like the client (this project) supports ACME v2 however it appears that once the ACME account key is registered, it will continue to use that going forward.

It won't. As soon as you'll use an image version that supports ACME v2, the switch to ACME v2 account will be made on the first certificate renewal or issuance.

https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/82b088353db48f839fe8f63dd9ec6dd9c299c55a/app/letsencrypt_service#L218-L224

As this is done before simp_le execution, it forces simp_le to register a new ACME v2 account.

No need to delete or backup anything. Unless you used custom account key configuration, the account key being deleted is only a symlink, not the actual ACME v1 account key in /etc/nginx/certs/accounts/

Reminder : you can force renewal of every certificate with /app/force_renew

[rucksman]

Thanks for clarifying. On the other hand: I am on your latest release:

My certificate was already created with this latest release as can be seen by the date compared to the date of the image in the first screenshot:

But it looks like it was creates still with v1:

[buchdag]

@rucksman can you confirm that you only have an account_key.json file or symlink along with your private key / cert / chain on your cert's folder and no account_reg.json file ?

[rucksman]

Yes. Both screenshots show the full "ls -la" from both directories.

[rucksman]

Following your hint with forcing the renewal of the certificates, this is what both directories look after issueing app/force_renew:

So there is still no account_key.json or account_reg.json. And queston is: will the next automatic renewal be with v1 or v2?

[rucksman]

Sorry, correction to my last post:

There is an account_key.json and and an account_reg.json. They exist in the domain folders and are symlinks to ../accounts/acme-v02.api.letsencrypt.org/directory/default_key.json and ../accounts/acme-v02.api.letsencrypt.org/directory/default_reg.json.

[buchdag]

If those two files exists and are correctly linked to the ACME v2 account, further renewal will be with the ACME v2 account. Are you certain you renewed the certificate on the 15 of January with an ACME v2 compatible version of the container ? latest does not mean much in regard to being certain of the version you are using.

[kylelee24]

Thank you @buchdag. I didn't realize I was on an older version of the image. After pulling the latest image, rebuilding my containers and running docker-compose exec letsencrypt-nginx-proxy bash and /app/force_renew, it looks like I am using ACMEv2 now.