Let’s Encrypt has announced that beginning January 28, 2022, it will begin revoking certain SSL/TLS certificates issued within the past 90 days.
This move could affect millions of active Let’s Encrypt certificates, according to the company.
Let’s Encrypt is a non-profit certification authority operated by the Internet Security Research Group (ISRG) that provides free X.509 certificates for TLS encryption.
Revoke “mis-issued” certificate
Yesterday, ISRG was informed by a third party who investigated Let’s Encrypt’s Boulder code repo that there were “two irregularities” in the CA’s implementation of the “TLS using ALPN” validation method
As a result, two changes had to be made to the TLS-ALPN-01 challenge validation mechanism, and Gillian, Let’s Encrypt’s Site Reliance Engineer (SRE), was informed that “before the fix was introduced on January 26, 2022, at 0:48 AM UTC, there were no TLS-ALPN-01 challenges issued. All active certificates issued and validated with an ALPN-01 challenge prior to the introduction of the fix on January 26, 2022 at 0:48 AM UTC will be considered to have been issued in error.
In order to comply with Let’s Encrypt’s certificate policy, which requires CAs to revoke certificates within 5 days under certain conditions, we will begin revoking certificates at 16:00 UTC on January 28, 2022.
However, it appears that not all certificates are affected by the improper implementation of the “TLS using ALPN” validation method.
This revocation project only applies to certificates issued with the flawed TLS-ALPN-01 validation method.
We estimate that less than 1% of valid certificates will be affected. Subscribers affected by the revocation will be able to receive email notification if they have a valid email address on file in their ACME account. If you are affected by this revocation and need help with renewing your certificate, please ask your questions in this thread
https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449
As of November 2021, the total number of valid certificates for Let’s Encrypt is over 221 million.
Therefore, the number of active certificates affected (less than 1%) can reach millions if issued with flawed TLS-ALPN-01 challenge validation.
Site owners with affected Let’s Encrypt certificates have reported that they have received email notifications instructing them to renew their certificates as they are about to expire.
If you received the email, it means that your account has successfully obtained at least one certificate verified using the TLS-ALPN-01 challenge in the last 90 days.
All certificates issued within the last 90 days and validated with a TLS-ALPN-01 challenge are affected, and you will need to follow the instructions of your ACME client to (forcibly) renew the certificate. If the client asks you to change the configuration, don’t forget to change it back after you’ve renewed the certificate!
Comments