Nixpkgs: nginx's enableACME fails because of ACMEv1 EOL

Created on 11 Oct 2019  路  5Comments  路  Source: NixOS/nixpkgs

When enabling a new ACME site:

{
  "type": "urn:acme:error:unauthorized",
  "detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
  "status": 403
}

I think it would be fixed by an upgrade of simp_le

To Reproduce
Steps to reproduce the behavior:

  1. add a new acme domain
  2. nixos-rebuild switch

Metadata
Please run nix run nixpkgs.nix-info -c nix-info -m and paste the result.

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: nginx
# a list of nixos modules affected by the problem
module: nginx
bug nixos
Source
picture multun

Most helpful comment

https://calendar.google.com/calendar/embed?src=letsencrypt.org_caqskun93lgiabjj4ba9cb1rek%40group.calendar.google.com contains the timeline we have for fixing this. We should backport this to 19.09

picture arianvp on 17 Oct 2019
👍5

All 5 comments

More information here: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/3

This actually happened as part of a warning "brownout period"- they'll be disabling v1 account creation in November, and this is a tactic to get people to notice and upgrade. I was hit by this yesterday too. The brownout period should be over later today; you can check status here: https://letsencrypt.status.io

Preferably this upgrade should happen by the 16th (five days from now), and it should really happen before November, as the feature will stop working for all new users and will be really confusing.

New deployments will not be able to create the acme account or register domains after October 31, or during the October brownout period of 16th -18th.

Anyone with a deployment will be able to provision certificates for new domains until June of 2020 on that same server (using the same ACME "account").

Deployments + domains that have already provisioned a cert should be able to renew until June of 2021

courajs picture courajs on 11 Oct 2019

Yes, bumping simpl_le to a version supporting v2 should work.

However, I'm a bit confused about 0.15.1 - this will probably include https://github.com/zenhack/simp_le/commit/cf0f006e0862ceea9e9259bd44a6382864db984f - We should probably wait for that 0.15.1 release (and maybe poke about it).

flokli picture flokli on 12 Oct 2019

https://calendar.google.com/calendar/embed?src=letsencrypt.org_caqskun93lgiabjj4ba9cb1rek%40group.calendar.google.com contains the timeline we have for fixing this. We should backport this to 19.09

arianvp picture arianvp on 17 Oct 2019
👍5

Started this migration on #71291,

See https://github.com/NixOS/nixpkgs/pull/71291#issuecomment-543595091 for current status.

NinjaTrappeur picture NinjaTrappeur on 18 Oct 2019
1

Fixed in #71291

jtojnar picture jtojnar on 24 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tomberek picture tomberek  路  3Comments
lverns picture lverns  路  3Comments
teto picture teto  路  3Comments
matthiasbeyer picture matthiasbeyer  路  3Comments
domenkozar picture domenkozar  路  3Comments