Upgrading win-acme for Let's Encrypt ACMEv2
(tap/click to view picture full size)

If you had an email recently, titled 'Update your client software to continue using Let's Encrypt', there is no need to panic.. but you must plan an upgrade in.

The email states the scenario simply enough:

"According to our records, the software client you're using to get Let's Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate in the past two weeks using the ACMEv1 protocol."

That's the crucial bit, you're still using ACMEv1.. the email communication continues "Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail."

So, if you're using win-acme (formerly 'letsencrypt-win-simple'), as championed by me in a previous blog post 'Securing your website', and demoed here in this video, there are a series of steps you must go through in order to upgrade to an ACMEv2 version of the software.

Here are the steps I followed.

Upgrade win-acme 1.9.X to 2.1.0

Download the latest version of win-acme, and put the files on a folder on your server, ideally a different folder to your old legacy setup

run wacs.exe and select More options... (keyboard shortcut 'O') then Import renewals from LEWS/WACS 1.9.x (keyboard shortcut 'I')

If you the issue the List scheduled renewals (keyboard shortcut 'L') command they'll all show, but display the 'error - imported' (or similar)

Correct the issue with a Renew *all* (keyboard shortcut 'A') call.

Before issue of the first renewal, you'll be prompted to first open, then accept the Terms and Conditions documentation.

Presuming you do this, you'll then be asked for an emaill address for error and late renewal notifications.

You'll also be asked if you want to create the new Scheduled Task in Windows Task Scheduler, and whether you want to supply a specific Username and Password (Windows Logon) to run this as.

This process might take some time, if you have a lot of domains.

Once it is all done, go into IIS and remove all old certificates that are no longer required, to avoid confusion (new ones are prefixed '[IIS] Site name, domain...')

For peace-of-mind, you can go into any IIS Website, click Bindings, choose a Host Name, and check that the newer '[IIS]' prefixed version is definately in use, before deleting the legacy ones.

All worked out for me.

Go into Windows Task Scheduler and delete or disable your old scheduled task, if you had one setup.. the new one will be named win-acme renew (acme-v02.api.letsencrypt.org) - you may wish to change the time it is set to execute at, and give it a test run.

Delete the folder of files relating to your setup of the legacy software.