Questions about Renewing before TLS-ALPN-01 Revocations

UPDATE 08 February 2022:

The rate limit adjustments have been reverted to normal conditions. You can read about our rate limits here.


UPDATE 29 January 2022:

We completed the revocation of approximately 2.7 million certificates validated with the TLS-ALPN-01 method. If a subscriber did not renew and replace their certificate before revocation, clients may see warnings and errors. Affected subscribers should continue to renew and their replace certs if they have not done so yet.

We have a status message up to help direct people to this thread.


On 26 January 2022, Let's Encrypt notified subscribers (with a valid contact email) that on 28 January 2022 we we will revoke certificates issued in the last 90 days and validated with the TLS-ALPN-01 challenge. This revocation only affects certificates issued and validated with the TLS-ALPN-01 challenge. Not all clients are capable of using this challenge type. Certbot does not support this challenge type, so unless you received an e-mail about this Certbot users should be unaffected.

This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you're affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don't find one, please make a new post in the 'Help' category, filling in the questiosn in the template that appear as you compose your post. Below, you will find some in-progress threads for certain clients and an F.A.Q that we will be regularly updating


Notes and Starting Points for Specific Clients

Caddy
bitnami/bn-cert
autocert
apache mod_md
apache mod_md find affected certs
Traefik
ASPN.NET

If you are using certbot, you are not impacted.


Q: How do I know if I'm using an affected certificate?
A: If you received the e-mail then you have an affected certificate. Not all subscribers have contact information so you may still be affected if you did not receive the e-mail. If you successfully issued a certificate validated with the TLS-ALPN-01 before 00:48 UTC on 26 January 2022, then your certificate is affected.

We have generated a downloadable list that maps affected registration ids, serials, and domains. Subscribers can download this list and cross-check the information.

If you did not receive an e-mail, you may find it easiest to get the serial for a domain you control and then cross-check the list. On a Linux/BSD-like system, this command will show you example.com 's current certificate serial number:

openssl s_client -connect example.com:443 -servername example.com \
-showcerts</dev/null 2>/dev/null | openssl x509 -noout -serial | awk -F'=' '{print $2}' 

You can replace your domain name for example.com to see your certificate's serial number.

You can see an explanation of the list's data and also download is from https://letsencrypt.org/tlsalpnrevocation/


Q: What happens if I do not replace my certificate on time?
A: If you are not able to renew your certificate by January 28th, visitors to your site may see security warnings, depending on their browser/client, until you renew your certificate. Your ACME client documentation should explain how to renew.


Q: Which clients do/do not support TLS-ALPN-01?
A: We know that Caddy, Traefik, apache mod_md, and the go autocert package support TLS-ALPN-01. Certbot does not support this challenge type.


Q: When will the revocation start?
A: We will begin revoking certificates starting at 16:00 UTC on 28 January 2022.


Q: How do I search the affected domains/serials data file?
A: We've built a tool that will allow you to search the data set of affected domains/serials via a website. An update with this information is available at Download affected certificate serials for 2022.01.25 TLS-ALPN-01 Incident - Let's Encrypt.


If you’d like to suggest more questions or corrections for this post, please make a new post to the “Site Feedback” category.

Thank you all very much for your patience, understanding, and help as we work through this issue.

22 Likes

A post was split to a new topic: Early renewal with autocert

Is there a way to look up what certificate IDs or domain names are going to be revoked? The email only included my account ID, which isn't actually helpful at all for me to look up what was affected.

5 Likes

For complete noobs like me, it would be helpful for the method of how to check if this is your certficiate/where to find if this if is true for you? I've looked at a few things and still not sure...

UPDATE: Okay, I used Firefox to go to my site, click the padlock and go to more information and it shows this:
TLSversion

Making me think that the TLS version is higher/newer therefore my site should be ok? But I'm still not sure lol

2 Likes

I got the email. But how do I know my certificate is issued with TLS-ALPN-01 validation method?

3 Likes

5 posts were split to a new topic: Early Renewal Traefix

Unfortunately, we cannot provide that information at this time. Some accounts have too many domains or serials to list in an email.

Depending on your ACME client, you might review the configuration file to see which domains are utilizing which challenge types and which account. All successful issuance in last 90 days with the TLS-ALPN-01 challenge are affected and will be revoked. If you only use that challenge, you should force renew all of your certificates. If you only use that challenge for some domains but are having trouble determining which ones based on the account, it is safe to force renew all your certificates.

Please keep in mind if you are representing a large integration with tens of thousands (or more) certificates to renew certificates at a reasonable pace, ideally spread over the course of hours.

3 Likes

Exactly my problem

If you received an e-mail, then your account successfully issued a certificate in the last 90-days with the TLS-ALPN-01 challenge. All certificates issued in the last 90-days validated with the TLS-ALPN-01 are affected and will be revoked.You should renew the certificates for the account that was listed in the e-mail notification.

2 Likes

2 posts were split to a new topic: Force renew for bncert (bitnami)

Thanks. Will go find a forum on how to force renew certs.

3 Likes

Is there a threshold timestamp such that certificates issued before that will get revoked ?

I just renewed my certificates using tls-alpn-01 method few minutes ago, and validity (times are in UTC) reads following:

        Validity
            Not Before: Jan 26 05:02:55 2022 GMT
            Not After : Apr 26 05:02:54 2022 GMT

Could a Let's Encrypt staff confirm that above certificate will survive ?

Thanks!

3 Likes

For anyone using apache mod_md.

Simply add/change the minimum date. By default I believe its 10% or 30 days. Honestly I can't remember.

MDRenewWindow 21d

For me I simply changed 21 to 60 and restarted the apache service. I got a new certificate within a minute or two automatically.

Your apache installation will possibly be different as I run my server on FreeBSD I added the setting to:

/usr/local/etc/apache/httpd.conf

If you have issues with mod_md change your error logging to something higher like debug and look into your log file for issues regarding mod_md.

Loglevel debug

The following is where the log file is placed by default, but you can change this in the apache config file.

/var/log/httpd-error.log

Again this is for FreeBSD installs so locations of files and names might be different.

Hopefully someone finds this useful.

5 Likes

A post was merged into an existing topic: Force renew for bncert (bitnami)

I do not have the exact time on-hand but Let’s Encrypt fixed and re-enabled the TLS-ALPN-01 challenge around 00:48 UTC on 26 January 2022. All certificates issued/renewed and validated with the TLS-ALPN-01 challenge after that time are not affected. Our full incident will include the specific times and I will try to update the top post with that information.

If you renewed minutes ago, then your renewed certificates will not be affected by the revocations on 28 January 2022. Please make sure you also install the certificate; likely by reloading your webserver and confirm you are serving the latest certificate.

(edited the time)

4 Likes

PSA: Anyone using Caddy v2.4.2 or newer (June 12, 2021) (or CertMagic v0.14 or newer) will most likely not have to take any action.

Caddy will automatically detect the revocation thanks to its automatic OCSP stapling and replace the certificate for you. (We have prior production experience with this.)

15 Likes

[Amazon Lightsail on Bitnami/Apache - Auto-Renew Script + Cronjob]
Ok, I remembered creating a script to renew my certificates (bitnami/apache server). I created a script here so edited it and changed this script (which is run daily by a cron job to check if the certs need renewing yet):

sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

I changed the number of days to renew in this script to 1. [Edit: 61 should do it... longer than 60 (previous expiry days) was needed]

I'm 50% confident that my certificates should now auto-renew before 28th Jan. Not sure if there's an even quicker way to force auto-renew.

This is what the line of code looked like for my auto-renew if you have similar:

sudo /opt/bitnami/letsencrypt/lego --tls --email="My Email is Here.com" --domains="firstDomainName.com" --domains="secondDomainName" --path="/opt/bitnami/letsencrypt" renew --days 61

I also changed my cronjob that runs at a certain day and time...[Edit: Not needed! Just manually run the script above lol! I'm so rubbish at this...]

I'm also struggling to reply to the right people/posts - keeps replying to Jillian regardless, what am I doing? :crazy_face:

4 Likes

A post was merged into an existing topic: Early renewal for bncert (bitnami)

I'm pretty new to all this, but I'm guessing when they revoke the cert, you won't have a cert until it's renewed again.

I'm using Lightsail and Bitnami on Apache too... do you have an autorenew script?