ACME v1 has yesterday been turned off

[bartowl]

What would you like to be added: ACME v2 support

Why is this needed: ACME v1 has entered Brownout phase

according to https://letsencrypt.status.io/ Lets Encrypt starts turning off ACME v1 Support. Only v2 will stay available. With this - no more renewals will be possible, so this issue is kind of critical for all users of openshift-acme

@tnozicka

[bartowl]

here is the link to the End Of Life plan of ACME v1: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/3

[tnozicka]

hm, that is unexpected, LE initially stated it will start in November no brown-outs were planned for October when initially announced.

I don't think this accounts for renewals though - is says new registrations, so existing envs and certificates should be fine since they store the account in a secret and reuse it.

I've been initially waiting for Golan acme lib, which we use, to support v2, but I think we will just switch to another one.

We are likely to switch with other structural changes in https://github.com/tnozicka/openshift-acme/pull/92 soon.

[tnozicka]

/priority important-soon

[salimbene]

Hey there. Does this means that for the time beings this app cannot be used to secure new routes?

[sapkra]

Yes. I switched to a wildcard certificate using acme.sh

[tnozicka]

Hey there. Does this means that for the time beings this app cannot be used to secure new routes?

That should apply only to new accounts - means new installations - and only intermittently until Oct 31th. If you have an existing installation you should be able to create new certs.

I have some time allocated for this Fri to move the new version forward so we are ready before they disable registration permanently.

[salimbene]

@tnozicka It is indeed a new installation. Should I keep trying in hope that it will work at any given moment?

[tnozicka]

@tnozicka It is indeed a new installation. Should I keep trying in hope that it will work at any given moment?

there shouldn't be a brownout in this moment. The dates are:

• October 10th to October 11th
• October 16th to October 18th
• October 31st onward and v1 looks green https://letsencrypt.status.io/

[salimbene]

Sorry for the many questions, I'm kinda new about securing routes in openshift and still don't quite understand some things. For the time being, I'm not able to use openshift-acme to secure routes, and I should head to https://letsencrypt.org/ to figure out how to do it. Is this correct? Thanks.

[salimbene]

Yes. I switched to a wildcard certificate using acme.sh

@sapkra Can I use acme.sh if my DNS registrar doesn't have an API?

[sapkra]

I don't know...maybe. But it will not be able to refresh the certificate automatically.

[tnozicka]

For the time being, I'm not able to use openshift-acme to secure routes, and I should head to https://letsencrypt.org/ to figure out how to do it. Is this correct? Thanks.

@msalimbe1 I think you should be able to use it when you register new account (on first use) before the v1 registration shutdown next month - I can't tell why is it not working for you without logs (file a new issue with logs - there is a sreencast how to set it up https://github.com/tnozicka/openshift-acme#screencast)

[tnozicka]

for reference this seems to be a mistake of using staging (instead of live) that is already disabled https://github.com/tnozicka/openshift-acme/issues/106#issuecomment-547832322

[schemen]

Has there been any update regarding the update to ACMEv2?

[tnozicka]

I am in the middle of switching the flow and other changes.

Also (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/7)

With input from our community, we have decided to move out the turn-off date for new ACMEv1 registrations to November 8, 2019. As of November 8, all new accounts will need to be created via ACMEv2.

We’re going to use the original date of November 1, 2019 as another 1-day brownout period. We’ll disable new ACMEv1 registrations on November 1, then re-enable them on November 2 before finally turning them off altogether on November 8. Hopefully this will give a little more time to update any implementations that are lagging.

Also to the best of my knowledge this is turning off only account creation so even if we miss to deliver acme V2 support for a few days, the existing installation already having acme v1 account shouldn't be affected.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.

Starting at the beginning of 2021 we will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month (OCSP service will not be affected).

Let this be a reminder to backup the acme-account secret :)

[lunika]

Hi,

is there any update on this issue ? It's not possible anymore to create new account as you know, which is critical and I see no activity on PR #92

Thanks.

[tnozicka]

is there any update on this issue ? It's not possible anymore to create new account as you know, which is critical and I see no activity on PR #92

I'm fairly limited on time these days but I have some time pre-allocated for Friday again to push it forward.

(I haven't push the changes yet since I am in the middle of the rewrite and it would just fail the CI.)

Note: existing users are not affected. Apologies to the new users that want to try it out in the interim - just wait a bit, I'll update the thread with progress.

[lunika]

I don't think I can help you but if you think there is some easy thing to do, I can do it if you want, like testing on our infra.

[stevef1uk]

I have just hit this issue: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 I have set-up OpenShift using https://github.com/neilpang/acme.sh which works fine. I would like to know how I can get deployed services to use LetsEncrypt to get TLS certs and hoped this way would work. Alas not.

[ThoTischner]

Hey we need to wait until the new API support is implemented. You could try to use a different ingress router for your apps like: https://docs.traefik.io/https/acme/

[xrow]

I got also hit by this problem. This there any other real operator (not acme.sh) that works with openshift at the moment? Was someone lucky?

[lunika]

I don't think, we are also looking for an other solution but we found nothing. The workaround we have is to copy/paste an existing account (found in the secret acme-account) in a new openshift project and pray to not reach the rate limit.

[pbergene]

Would love to see support for v2 account creation :)

[bshaik01]

E0102 01:31:33.466790 1 route.go:728] failed to get ACME client: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Is anyone helping us with this issue, Highly appreciated.

[xrow]

FYI: I was able to get cert-manager v0.10.1 working with dns-01 challange. http-01 was broke.

[hamdikh]

any updates regarding ACMEv2?

[tnozicka]

I am aiming to get back to it at the end of next week, hopefully that will get us closer to an alpha. (You can track progress on https://github.com/tnozicka/openshift-acme/pull/92)

[megian]

any updates?

[tnozicka]

the code in #92 is successfully provisioning certs with acme v2, I need to find a day to update the deployment fixtures, e2e setup and docs

[hamdikh]

Any help needed with the deployment updates ?

[lunika]

Awesome ! Thank you !

[jperville]

Hello @tnozicka , thank you very much for fixing this issue.

Did you release an updated docker image somewhere? On https://hub.docker.com/r/tnozicka/openshift-acme/tags all images are more than 5 month old, so they cannot include this fix.

[lunika]

Hey @jperville images are now hosted on quay.io : https://quay.io/repository/tnozicka/openshift-acme?tag=latest&tab=tags

[jperville]

Thanks @lunika it is not clear just from looking at the README.md that images are now hosted on quay.io . I looked up the kubernetes manifests and indeed they are.

[tnozicka]

yep, they are on quay.io now.

The images are always coupled to the yaml definitions in https://github.com/tnozicka/openshift-acme/tree/master/deploy/cluster-wide and vice versa, although they are usually compatible, so I just assumed people will find it there. I should probably write something about updates/upgrades when there is time.