Questions about Renewing before TLS-ALPN-01 Revocations

A post was split to a new topic: Early renewal with autocert

Is there a way to look up what certificate IDs or domain names are going to be revoked? The email only included my account ID, which isn't actually helpful at all for me to look up what was affected.

6 Likes

For complete noobs like me, it would be helpful for the method of how to check if this is your certficiate/where to find if this if is true for you? I've looked at a few things and still not sure...

UPDATE: Okay, I used Firefox to go to my site, click the padlock and go to more information and it shows this:
TLSversion

Making me think that the TLS version is higher/newer therefore my site should be ok? But I'm still not sure lol

2 Likes

I got the email. But how do I know my certificate is issued with TLS-ALPN-01 validation method?

3 Likes

5 posts were split to a new topic: Early Renewal Traefix

Unfortunately, we cannot provide that information at this time. Some accounts have too many domains or serials to list in an email.

Depending on your ACME client, you might review the configuration file to see which domains are utilizing which challenge types and which account. All successful issuance in last 90 days with the TLS-ALPN-01 challenge are affected and will be revoked. If you only use that challenge, you should force renew all of your certificates. If you only use that challenge for some domains but are having trouble determining which ones based on the account, it is safe to force renew all your certificates.

Please keep in mind if you are representing a large integration with tens of thousands (or more) certificates to renew certificates at a reasonable pace, ideally spread over the course of hours.

4 Likes

Exactly my problem

If you received an e-mail, then your account successfully issued a certificate in the last 90-days with the TLS-ALPN-01 challenge. All certificates issued in the last 90-days validated with the TLS-ALPN-01 are affected and will be revoked.You should renew the certificates for the account that was listed in the e-mail notification.

3 Likes

2 posts were split to a new topic: Force renew for bncert (bitnami)

Thanks. Will go find a forum on how to force renew certs.

3 Likes

Is there a threshold timestamp such that certificates issued before that will get revoked ?

I just renewed my certificates using tls-alpn-01 method few minutes ago, and validity (times are in UTC) reads following:

        Validity
            Not Before: Jan 26 05:02:55 2022 GMT
            Not After : Apr 26 05:02:54 2022 GMT

Could a Let's Encrypt staff confirm that above certificate will survive ?

Thanks!

3 Likes

For anyone using apache mod_md.

Simply add/change the minimum date. By default I believe its 10% or 30 days. Honestly I can't remember.

MDRenewWindow 21d

For me I simply changed 21 to 60 and restarted the apache service. I got a new certificate within a minute or two automatically.

Your apache installation will possibly be different as I run my server on FreeBSD I added the setting to:

/usr/local/etc/apache/httpd.conf

If you have issues with mod_md change your error logging to something higher like debug and look into your log file for issues regarding mod_md.

Loglevel debug

The following is where the log file is placed by default, but you can change this in the apache config file.

/var/log/httpd-error.log

Again this is for FreeBSD installs so locations of files and names might be different.

Hopefully someone finds this useful.

5 Likes

A post was merged into an existing topic: Force renew for bncert (bitnami)

I do not have the exact time on-hand but Let’s Encrypt fixed and re-enabled the TLS-ALPN-01 challenge around 00:48 UTC on 26 January 2022. All certificates issued/renewed and validated with the TLS-ALPN-01 challenge after that time are not affected. Our full incident will include the specific times and I will try to update the top post with that information.

If you renewed minutes ago, then your renewed certificates will not be affected by the revocations on 28 January 2022. Please make sure you also install the certificate; likely by reloading your webserver and confirm you are serving the latest certificate.

(edited the time)

5 Likes

PSA: Anyone using Caddy v2.4.2 or newer (June 12, 2021) (or CertMagic v0.14 or newer) will most likely not have to take any action.

Caddy will automatically detect the revocation thanks to its automatic OCSP stapling and replace the certificate for you. (We have prior production experience with this.)

15 Likes

[Amazon Lightsail on Bitnami/Apache - Auto-Renew Script + Cronjob]
Ok, I remembered creating a script to renew my certificates (bitnami/apache server). I created a script here so edited it and changed this script (which is run daily by a cron job to check if the certs need renewing yet):

sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

I changed the number of days to renew in this script to 1. [Edit: 61 should do it... longer than 60 (previous expiry days) was needed]

I'm 50% confident that my certificates should now auto-renew before 28th Jan. Not sure if there's an even quicker way to force auto-renew.

This is what the line of code looked like for my auto-renew if you have similar:

sudo /opt/bitnami/letsencrypt/lego --tls --email="My Email is Here.com" --domains="firstDomainName.com" --domains="secondDomainName" --path="/opt/bitnami/letsencrypt" renew --days 61

I also changed my cronjob that runs at a certain day and time...[Edit: Not needed! Just manually run the script above lol! I'm so rubbish at this...]

I'm also struggling to reply to the right people/posts - keeps replying to Jillian regardless, what am I doing? :crazy_face:

4 Likes

A post was merged into an existing topic: Early renewal for bncert (bitnami)

I'm pretty new to all this, but I'm guessing when they revoke the cert, you won't have a cert until it's renewed again.

I'm using Lightsail and Bitnami on Apache too... do you have an autorenew script?

When the certificate is revoked, your server will continue to serve the certificate it has but it won’t be trusted by all clients. Not all clients and browsers check OCSP (whether your site has a valid or revoked certificate). This will result in errors or warnings for some visitors to your site until you renew and replace the revoked certificate.

4 Likes