[German]Brief information for administrators who use certificates from the non-profit certification authority Let's Encrypt. Let's Encrypt will revoke certain certificates as of 28. Jan. 2022. The background for the revoke of the max. 90 days old certificates is a bug that was noticed recently. No idea how many websites and services use these free Let's Encrypt certificates. Those who use Let's Encrypt certificates should at least check if they are affected.
In a notice einer2022.01.25 Issue with TLS-ALPN-01 Validation Method, a Let's Encrypt employee explains that on January 25, 2022, it was brought to their attention by a third party that while investigating the Boulder codebase, that body had found two instances of specification non-compliance in the Let's Encrypt implementation of the "TLS Using ALPN" validation method (BRs 3.2.2.4.20, RFC 8737).
As a result, Let's Encrypt has made two changes to the way its TLS ALPN-01 validation works. It states:
- First, we now guarantee that our client which reaches out to conduct the "acme-tls/1" handshake will negotiate TLS version 1.2 or higher. If your ACME client or integration only supports a maximum TLS version of 1.1 when conducting the TLS-ALPN-01 challenge, it will break. We are not aware of any ACME clients with this limitation.
- Second, we no longer support the legacy 1.3.6.1.5.5.7.1.30.1 OID which was used to identify the acmeIdentifier extension in earlier drafts of RFC 8737. We now only accept the standardized OID 1.3.6.1.5.5.7.1.31. If your client uses the wrong OID when constructing the certificate used for the TLS-ALPN-01 handshake, it will break. Please either update your client, or switch to using a different validation method.
When these changes were introduced, the TLS-ALPN-01 challenge type was also temporarily disabled. All active certificates issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on January 26, 2022, when the fix was deployed, are considered incorrectly issued. In accordance with the Let's Encrypt CP, there are now 5 days to revoke these certificates.
Let's Encrypt will therefore start revoking the affected certificates on January 28, 2022 at 16:00 UTC. It is estimated that <1% of active certificates will be affected. Subscribers affected by the revocation will be notified via email, provided their ACME account contains a valid email address. An English-language article is available at Bleeping Computer if anyone wants to read up more extensively.