Please update to latest 19.09 if using Letsencrypt

arianvp · October 30, 2019, 10:48am

Hey all,

Letsencrypt is shutting down their V1 API for registrations tomorrow. (End of Life Plan for ACMEv1 - API Announcements - Let's Encrypt Community Support). Unfortunately, we shipped 19.09 without V2 API support. This means any new certificate creations with the current NixOS modules will fail from tomorrow own.

Luckily, we just backported a fix (Backporting ACME v2 fix (#71291) to 19.09 by picnoir · Pull Request #71953 · NixOS/nixpkgs · GitHub). Please update your channel avoid any service disruptions.

If you have any questions about this topic, let me know!
Cheers!

azazel75 · October 30, 2019, 2:55pm

I need to backport this to 19.03

arianvp · October 30, 2019, 5:14pm

I would advice updating to 19.09 asap, as 19.03 is not receiving any updates anymore.

Backporting the patch itself going to be problematic as we refactored the ACME module to solve outstanding bugs that were present in the 19.03 release. (Like nixos/acme: nginx configuration test fails during nixos-rebuild switch when you have an existing virtualhost and add a new one · Issue #60180 · NixOS/nixpkgs · GitHub).

So if you’re going to backport, make sure you backport Fix letsencrypt by arianvp · Pull Request #60219 · NixOS/nixpkgs · GitHub too

JohnAZoidberg · October 30, 2019, 10:24pm

19.03 is still receiving security fixes and repairs of broken things of which this would be one.

flokli · October 31, 2019, 12:00am

The backport is non-trivial, and NixOS 19.03 is supported until the end of October.

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/7 says account creations will still be possible until around November 8 (affecting newly added domains), and renewals over the old API (affecting existing domain’s renewals) should still supported until June 2020. So this doesn’t break anything in 19.03 during its support window - I’d recommend upgrading to 19.09 anyways

worldofpeace · October 31, 2019, 12:49am

Right, we’re just strongly suggesting. And November 1st is how many days from now…

aanderse · October 31, 2019, 10:14am

If you really can’t upgrade and a backport isn’t going to happen you might be stuck switching to an imperative certbot command. Not ideal, but sometimes that’s what happens in a pinch. Good luck!

azazel75 · October 31, 2019, 5:18pm

Yes, yes, I’m upgrading… or trying to but for a server 6 months are almost nothing… I’ll hope one day we’ll have the resources for LTS