Questions about Renewing before TLS-ALPN-01 Revocations

I agree with the sentiment shared by many of the posts here, there needs to be a way to determine which domain name(s) are affected. The best I've found so far is to check each host where I'm using certbot for the account number:

sudo find /etc/letsencrypt/ -name regr.json -exec cat {} \; | jq .uri
1 Like

So certbot was all I'd used, and i got an email with 3 accounts in it. I'm gtg already?

I have updated the top post of this thread with clearer information and started an F.A.Q.

4 Likes

Well, that's a little bit strange. As far as I know, the email about the revocation of certificates issued with the tls-alpn-01 challenge is only send to accounts which have issued certs with that specific challenge recently (as @jillian can probably confirm). And Certbot, out of the box, cannot provide that challenge type. So I don't understand why you, using Certbot as the ACME client, would recieve that email notice? Do you perhaps have other ACME clients in use?

4 Likes

Adding on to what @Osiris said, did your email describe the TLS-ALPN-01 problem or was it just about expiring certificate(s)?

3 Likes

A post was split to a new topic: Early renewal for Caddy v1.04

What about the Crypt-LE client and TLS-ALPN-01?

I'll have to look into how to associate certs made with that with my email, since it would be nice to receive notifications about things like this. I didn't know that was possible.

not for me - I'm call CapRover - BUT as I'm typing I did have a previous Digital Ocean Droplet that I used DO's SSL. That might be the case for me.

That client doesn't seem to support TLS auth. It just looks like support for it was stubbed out. Are you sure you used TLS-ALPN-01? Perhaps there is a plugin.

Your email should have been bound to your account when you registered. There is an option on your client to set the account email. Alternately, you can use another client and use the contact-details endpoint with your active key(s) from crypt-le.

4 Likes

I'm not familair with "CapRover" nor what you meant exactly, but I quoted you about the use of Certbot based on your command:

..earlier which seems to indicate you were using Certbot.

2 Likes

@jvanasco The email registration was an oversight, but I see that there's a way to update it after the fact.

On the TLS question, no, I'm unaware of what it uses in regard to that (I just have le64.exe). I did see mention of TLS-ALPN-01 specifically in a log that someone posted in their forum from three years ago, though. The client has been updated several times since but release notes don't mention it. You saw that it was stubbed out?

Update: Looked in the posted csv. Not affected.

Just adding to what @Osiris noted: TLS-ALPN-01 is an authentication type that can only happen within a specialized webserver that supports this protocol itself. It's often used by large scale web companies on their gateways, and aggressively forward thinking engineers and web companies.

It is not easy to set up. There are a handful of webservers and web libraries that handle this (e.g. caddy, go), and there are some webserver plugins that can handle this (e.g. apache's mod_md, nginx has a few). Some of the more popular commandline tools can spin up a compliant server (e.g. achm.sh, dehyradated). Certbot does not support the TLS-ALPN-01 challenge type itself.

Generally speaking, TLS-ALPN-01 is only used by people who know what it is and purposefully sought it out. I would find it odd if someone learned they somehow had a TLS-ALPN-01 certificate through this revocation. You have to be pretty familiar with TLS-ALPN-01 and often invest a lot of energy into specialized work to utilize it.

5 Likes

Perfect. Thank you for the confirmation.

2 Likes

The F.A.Q. in the first post is updated to include more information about how to check if you are affected and what certificates are affected per id that was recieved in the e-mail.

8 Likes

Hi Jillian! We are using a Fortinet firewall with automatically-renewing certs thru LE. I'm not seeing much on the process, so we've reached out to our vendor to see if they have a manual renewal process. Can you help on this one?

@gorillabiscuit
Does FortiOS use TLS-ALPN-01?
[I would not think so]

1 Like

Greetings. I know that all of my certs were issues as tls-alpn-01. So, I figure I should be able to generate new ones.

What I've found is that the test server is working ok. When I attempt to create a cert with the production server, I am told that tls-alpn isn't supported:

The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01

I'm using acme.sh.

Is this an issue with the service, or am I seeing something with the tool? IOW, is there a change to the tool needed to deal with the change being made?

This does seem to be a bug in acme.sh: The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01 · Issue #3910 · acmesh-official/acme.sh · GitHub

3 Likes

Yes, there is is. Cool. Thanks.

1 Like

...actually, the bug report claims that it is Let's Encrypt that has disabled the method.

How can we determine which side is not behaving?