Email feedback: TLS 1.0/1.1 deprecation and SHA-1 deprecation

jsha · July 13, 2022, 9:49pm

Below are a pair of emails we intend to send soon. I'd like to get feedback from the community, as folks here often have ideas how to make things clearer or make sure we include all information.

Subject: Update your software before Sep 15 to avoid certificate expiration (TLS 1.1 deprecation)
Our records show that the software you use to get Let's Encrypt certificates uses TLS 1.0 or TLS 1.1. On September 15, 2022, we will require TLS 1.2 or better for all ACME API connections, and for any validation requests that redirect to HTTPS: https://community.letsencrypt.org/t/rejecting-tls-1-0-1-1-for-inbound-acme-connections/176107

We estimate this change will affect 0.008% of certificate issuances, including yours. Here are your affected hostnames and IP addresses:

To fix this problem, most likely you need to update your software to the latest version. In particular you may need to update OpenSSL if your Let's Encrypt client software or your web server supports that. In more unusual cases, you may need to change configuration to enable TLS 1.2 and above.

If you have questions about these changes, please post them here:
https://community.letsencrypt.org/t/questions-about-tls-1-0-1-1-deprecation-for-acme-requests/176106

Subject: Update your software before Sep 15 to avoid certificate expiration (SHA-1 CSR deprecation)

Our records show that the software you use to get Let's Encrypt certificates sends Certificate Signing Requests (CSRs) that use the SHA-1 hash algorithm. SHA-1 has been deprecated by NIST since 2011. Let's Encrypt is now fully removing support for this hash in CSRs, as of September 15, 2022: https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls/175144.

We estimate that this change will affect 1.18% of certificate issuances, including yours. Here are your affected hostnames and IP addresses:

To fix this problem, most likely you need to update your software to the latest version. In particular, if you are using node-acme-client, you need to update to at least version 4.2.4.

If you have questions about these changes, please post them here:

orangepizza · July 13, 2022, 10:18pm

can it include a user agent of deprecated client in mail?

petercooperjr · July 13, 2022, 10:19pm

I don't suppose you can use the user agent that was submitted to be able to give more specific advice here?

Even telling them in the email what their client's user agent is might be helpful, because there's a good chance that some of the users have no idea what they're running beyond "I installed Let's Encrypt", if even that much.

rg305 · July 13, 2022, 11:38pm

Although anything is always better than nothing, and this is far from a minimal effort, I am certain that we'll be getting swamped with "I don't know why my certificate renewals are failing".

Note to self: Take a two-month vacation (starting September 15)
LOL

But why? (might you ask)
Because too many people don't update their systems OR can't (shared systems).
Or have no clue which piece(s) needs to be updated.

As for the emails: How many of the affected FQDNs/IPs have a listed email address?

Rip · July 14, 2022, 12:24am

How would one find out how many certificates are in current "circulation"?

Nummer378 · July 14, 2022, 12:36am

Cloudflare runs some stats here:

https://ct.cloudflare.com/

Though it seems to be partially broken at the moment.

jsha · July 14, 2022, 12:58am

I don't know at the moment; that information is generated during our email sending process. But in general the fraction of our subscribers that have a listed email address is quite high.

For the TLS deprecations, yes. For the SHA-1 deprecations, due to how we record the CSR information, it's not easy to pair with User-Agent data.

MikeMcQ · July 14, 2022, 2:26am

I think the subject is much too long. Make it shorter and more impactful.

Mailchimp, for one, recommends no more than 9 words and 60 characters for subjects. Partly this is formatting on all devices but also for best open rates. Also, English is not first language for many so a few simple words is best.

Maybe something like:

Update needed for Let's Encrypt certificate (TLS 1.2 required)        
Update needed for Let's Encrypt certificate (SHA-1 CSR)

You could even leave off the parenthesized reason but that might be handy when people post they''ll say "I got the TLS 1.2 required email" (or hopefully they will).

All the details are in the body so the subject is just a teaser to get them to open it.

Closer to Sept 15 you could change title to be more dramatic. Like "Action needed NOW! to keep your Let's Encrypt cert". Or something less corny

Nummer378 · July 14, 2022, 5:02pm

Aggressive email subjects are sometimes perceived as phishing by users (because phishing often uses exactly this language tone). In general I would advise against any kind of threatening language in subjects. The currently proposed subject already contains some imperative language, which isn't great to begin with, but I think it's okay.

rg305 · July 14, 2022, 5:05pm

...insert credit card number here...