Questions about Renewing before TLS-ALPN-01 Revocations

Exactly my problem

If you received an e-mail, then your account successfully issued a certificate in the last 90-days with the TLS-ALPN-01 challenge. All certificates issued in the last 90-days validated with the TLS-ALPN-01 are affected and will be revoked.You should renew the certificates for the account that was listed in the e-mail notification.

3 Likes

2 posts were split to a new topic: Force renew for bncert (bitnami)

Thanks. Will go find a forum on how to force renew certs.

3 Likes

Is there a threshold timestamp such that certificates issued before that will get revoked ?

I just renewed my certificates using tls-alpn-01 method few minutes ago, and validity (times are in UTC) reads following:

        Validity
            Not Before: Jan 26 05:02:55 2022 GMT
            Not After : Apr 26 05:02:54 2022 GMT

Could a Let's Encrypt staff confirm that above certificate will survive ?

Thanks!

3 Likes

For anyone using apache mod_md.

Simply add/change the minimum date. By default I believe its 10% or 30 days. Honestly I can't remember.

MDRenewWindow 21d

For me I simply changed 21 to 60 and restarted the apache service. I got a new certificate within a minute or two automatically.

Your apache installation will possibly be different as I run my server on FreeBSD I added the setting to:

/usr/local/etc/apache/httpd.conf

If you have issues with mod_md change your error logging to something higher like debug and look into your log file for issues regarding mod_md.

Loglevel debug

The following is where the log file is placed by default, but you can change this in the apache config file.

/var/log/httpd-error.log

Again this is for FreeBSD installs so locations of files and names might be different.

Hopefully someone finds this useful.

5 Likes

A post was merged into an existing topic: Force renew for bncert (bitnami)

I do not have the exact time on-hand but Let’s Encrypt fixed and re-enabled the TLS-ALPN-01 challenge around 00:48 UTC on 26 January 2022. All certificates issued/renewed and validated with the TLS-ALPN-01 challenge after that time are not affected. Our full incident will include the specific times and I will try to update the top post with that information.

If you renewed minutes ago, then your renewed certificates will not be affected by the revocations on 28 January 2022. Please make sure you also install the certificate; likely by reloading your webserver and confirm you are serving the latest certificate.

(edited the time)

5 Likes

PSA: Anyone using Caddy v2.4.2 or newer (June 12, 2021) (or CertMagic v0.14 or newer) will most likely not have to take any action.

Caddy will automatically detect the revocation thanks to its automatic OCSP stapling and replace the certificate for you. (We have prior production experience with this.)

15 Likes

[Amazon Lightsail on Bitnami/Apache - Auto-Renew Script + Cronjob]
Ok, I remembered creating a script to renew my certificates (bitnami/apache server). I created a script here so edited it and changed this script (which is run daily by a cron job to check if the certs need renewing yet):

sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

I changed the number of days to renew in this script to 1. [Edit: 61 should do it... longer than 60 (previous expiry days) was needed]

I'm 50% confident that my certificates should now auto-renew before 28th Jan. Not sure if there's an even quicker way to force auto-renew.

This is what the line of code looked like for my auto-renew if you have similar:

sudo /opt/bitnami/letsencrypt/lego --tls --email="My Email is Here.com" --domains="firstDomainName.com" --domains="secondDomainName" --path="/opt/bitnami/letsencrypt" renew --days 61

I also changed my cronjob that runs at a certain day and time...[Edit: Not needed! Just manually run the script above lol! I'm so rubbish at this...]

I'm also struggling to reply to the right people/posts - keeps replying to Jillian regardless, what am I doing? :crazy_face:

4 Likes

A post was merged into an existing topic: Early renewal for bncert (bitnami)

I'm pretty new to all this, but I'm guessing when they revoke the cert, you won't have a cert until it's renewed again.

I'm using Lightsail and Bitnami on Apache too... do you have an autorenew script?

When the certificate is revoked, your server will continue to serve the certificate it has but it won’t be trusted by all clients. Not all clients and browsers check OCSP (whether your site has a valid or revoked certificate). This will result in errors or warnings for some visitors to your site until you renew and replace the revoked certificate.

4 Likes

If you don't know with which challenge type your certificate has been issued, most likely your hosting provider has done this for you. If that is the case, then it's also your hosting provider which will have to renew your certificate in time before the revocation of the old certificate takes place.

You cannot see which challenge was used to issue a certificate from looking at the actual website I'm afraid.

3 Likes

I'm afraid the "5 days rule" that's mandated by the CA/Browser Forum Baseline Requirements. So with issues like this, it will always be on a short notice.

Don't forget to change it back once the certs have been succesfully renewed :wink:

4 Likes

We manage hundreds of domains across SaaS solutions and standard websites. SSL certificates are one point in a long chain of infrastructure which we have found automated solutions such as Caddy, or use various other providers to make things work.

For most of us, SSL generation, authentication and application are a black box of "magic".

The complete lack of information on how to identify which domains are affected (in bulk) and how to proceed to resolve the issue for the most common scenarios, is quite frankly, terrible.

Replies saying "it's easy" completely miss the point - landing a plane is easy if you've been trained in that skill. If not, it's going to be like the ending of Die Hard.

Please provide more information to help the potentially millions of domains this could be affecting.

4 Likes

What are the steps for users with an older version of Caddy, such as 0.11.5?

:grimacing: That's many years old. Definitely upgrade to Caddy 2:

2 Likes

Hey Scott, you mention Caddy -- are you frustrated about how Caddy "just works" in this case or are you just using that as an example, but you don't actually use it? How can I help?

AFAIK Let's Encrypt sent emails about all affected domains to all clients who specified an email address (which is always recommended), and clearly defined which certificates are affected as well.

2 Likes

Unfortunately, we cannot provide that information in the e-mail because some accounts have too many domains or serials to list in an e-mail and there are too many ACME clients in use with different ways of configuring and managing this information.

If you only use or primarily use the TLS-ALPN-01 challenge you should renew all of your certificates for the account id provided in the e-mail. If there are a few domains using a different challenge or you can’t figure out which accounts manage which domains, it won’t be problematic to renew them early too.

3 Likes