All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's Encrypt notified subscribers about urgent revoking certificates on 28 Jan 2022
rustelekom
Member, Patron Provider
On 26 January 2022, Let's Encrypt notified subscribers (with a valid contact email) that on 28 January 2022 we we will revoke certificates issued in the last 90 days and validated with the TLS-ALPN-01 challenge. This revocation only affects certificates issued and validated with the TLS-ALPN-01 challenge. Not all clients are capable of using this challenge type. Certbot does not support this challenge type, so unless you received an e-mail about this Certbot users should be unaffected.
This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you're affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don't find one, please make a new post in the 'Help' category, filling in the questiosn in the template that appear as you compose your post. Below, you will find some in-progress threads for certain clients and an F.A.Q that we will be regularly updating
Notes and Starting Points for Specific Clients
Caddy
bitnami/bn-cert 297
autocert 107
apache mod_md
apache mod_md find affected certs 30
Traefik
If you are using certbot 47, you are not impacted.
Q: How do I know if I'm using an affected certificate?
A: If you received the e-mail then you have an affected certificate. Not all subscribers have contact information so you may still be affected if you did not receive the e-mail. If you successfully issued a certificate validated with the TLS-ALPN-01 before 00:48 UTC on 26 January 2022, then your certificate is affected.
We have generated a downloadable list 334 that maps affected registration ids, serials, and domains. Subscribers can download this list and cross-check the information.
If you did not receive an e-mail, you may find it easiest to get the serial for a domain you control and then cross-check the list. On a Linux/BSD-like system, this command will show you example.com 's current certificate serial number:
openssl s_client -connect example.com:443 -servername example.com \
-showcerts</dev/null 2>/dev/null | openssl x509 -noout -serial | awk -F'=' '{print $2}'
You can replace your domain name for example.com to see your certificate's serial number.
You can see an explanation of the list's data and also download is from https://letsencrypt.org/tlsalpnrevocation/ 72
Q: What happens if I do not replace my certificate on time?
A: If you are not able to renew your certificate by January 28th, visitors to your site may see security warnings, depending on their browser/client, until you renew your certificate. Your ACME client documentation should explain how to renew.
Q: Which clients do/do not support TLS-ALPN-01?
A: We know that Caddy, Traefik, apache mod_md, and the go autocert package support TLS-ALPN-01. Certbot does not support this challenge type.
Q: When will the revocation start?
A: We will begin revoking certificates starting at 16:00 UTC on 28 January 2022.
Comments
Though note that the vast majority of certificates are obtained with the HTTP-01 or DNS-01 challenges for authentication. Most tools/services like certbot/cert-manager/similar do not support TLS-ALPN-01 at all.
But worth checking if you use something like caddy or traefik with their automatic certificate management, as they can use TLS-ALPN-01.
Caddy users can sleep tight.
Several of my servers have Let's Encrypt certificates issued through tls-alpn-01 challenge, because port 80 is blocked by firewall.