[Solution] Update your client software to continue using Let's Encrypt

If you are using Let's Encrypt and the Certbot user agent to renew your SSL certificate, you may get a warning email stating that your software client is obsolete as it is using the old ACMEv1 protocol instead of the new ACMEv2. Therefore, you should update Certbot (or your alternative user client).

Here is the kind of email that your can receive :

According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: [Server_IP]

User agent: CertbotACMEClient/0.10.2 (Debian GNU/Linux 8 (jessie)) Authenticator/webroot Installer/None

Hostname(s): "domainname.com"

Request time: 2020-01-01 10:57:40 UTC

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you're unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don't know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there's an existing solution for your question. If there isn't, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:

As a reminder: In the future, Let's Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you're working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let's Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let's Encrypt

Unfortunately, there is no help or guide proposed inside this message. So, what is the solution ?

First, you should make a backup of your server, or your website (SQL + FTP files). Then a backup of /etc/letsencrypt, a backup of /etc/apache/.

The easy solution

The easiest solution consists into updating Certbot. Your Certbot version is too old and it persists of using ACME v1 while the ACME v1 server is already present. You can check into /var/log/letsencrypt/letsencrypt.log the day the package has updated a certifcate to see if it was indeed using ACME v1 and not ACME v2. In /etc/letsencrypt/accounts/, you should have a acme-staging-v02.api.letsencrypt.org folder with a symlink (symbolic link) directory folder redirecting to the acme-staging-v01.api.letsencrypt.org folder content.

# sudo apt update
# sudo apt install --only-upgrade certbot

Then :

sudo certbot update_account


sudo certbot-auto update_account

It will require from you that you enter your email address. If it says invalid arguments, then that simply means that your Certbot folder (with libraries), etc... is obsolete. You can check into the Certbot help, if update_account is included :

certbot --help all


certbot-auto --help all

Otherwise, it will update the accounts folders content.

The advanced solution

If the update_account didn't work, you have to totally remove Certbot and setup it again with a fresh installation. The last version of Certbot doesn't use ACME v1 at all, but only ACME v2.

# sudo apt-get remove certbot

# wget https://dl.eff.org/certbot-auto
# sudo mv certbot-auto /usr/local/bin/certbot-auto
# sudo chown root /usr/local/bin/certbot-auto
# sudo chmod 0755 /usr/local/bin/certbot-auto

Source: https://certbot.eff.org/lets-encrypt/debianjessie-apache

Then again :

sudo certbot-auto update_account

In /var/log/letsencrypt/letsencrypt.log, it should only use the ACME v2 protocol to update the email address of your Let's Encrypt accounts. If it doesn't work, repeat again and remove first (or rename) the server folders inside /etc/letsencrypt/accounts.

The hardcore solution :

Nothing worked, the last solution is to upgrade your operating system distribution, then upgrade Certbot. If it is still the same, then the last solution is to use another user agent from the list available here :


The most used one after Certbot is certainly acme.sh.

Related posts:

How to update phpMyAdmin
How to update phpMyAdmin : Maybe you try to setup a cms and your version is outdated or no more compatible. Check the current version ...
Let’s Encrypt Apache configuration
You have to configure default-ssl.conf, example.com.conf in /etc/apache2/sites-available/. Check the existence of options-ssl-apache.conf ...
Amazon link localizer solutions
When you join the Amazon associate program, you can subscribe to the other national versions of Amazon, namely UK, Germany, Canada, France, ...
Renewal notice problem with Letsencrypt auto renew
You may get a 403 forbidden access issue while renewing automatically your SSL certificate generated by Letsencrypt. It comes from the fact ...
How to update the linux distribution of a Debian server
Access to the server through SSH (PuTTY), enter your user (root) and your password (given by the hosting service provider) : Update and upgrade ...