Mattermost, Inc.

Need LetsEncrypt ACMEv2 support?

Summary

LetsEncrypt Certificate Generation not working for new domains due to ACMEv1 deprecation

Steps to reproduce

Install community version 5.16.3 (Nov 6, 2019) on Current Ubuntu 18.04 LTS
Follow instructions as in https://docs.mattermost.com/install/install-ubuntu-1804.html
When you get to “configuring-tls-on-mattermost-server” , step 3, choose the LetsEncrypt option.
Attempt to connect from an external client. Connection fails with TLS error
Inspect /var/log/syslog, find this error:
Nov 10 19:50:40 myhostname-redacted mattermost[12338]: {“level”:“error”,“ts”:1573415440.8929782,“caller”:“http/server.go:3010”,“msg”:“http: TLS handshake error from 46.101.216.34:40316: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.”,“source”:“httpserver”}

Expected behavior

I expected that my client would try to connect, triggering a successful letsencrypt cert generation for my hostname, and stuff would work.

Observed behavior

See syslog error, above.

So I read the linked page and apparently NEW ACCOUNTS (i.e. new domains) are not allowed to use the ACMEv1 protocol as of November 1, 2019 (6 days before the release) - so existing mattermost users using letsencrypt are still grandfathered in for another year, but if you try to deploy to a new host/domainname, you must use ACMEv2 protocol, apparenty.

Relevant quote:

Today we are announcing an end of life plan for ACMEv1.

In November of 2019 we will stop allowing new account registrations through our ACMEv1 
API endpoint. Existing accounts will continue to function normally.

In June of 2020 we will stop allowing new domains to validate via ACMEv1.