The popular certificate authority (CA) Let’s Encrypt that issues SSL/TLS digital certificates has sent an email to thousands of users indicating that they must renew their digital certificates before this Friday. Let’s Encrypt digital certificates are widely used by home users and businesses because they are completely free, the downside is that they need to be updated every 90 days instead of every year or two for paid SSL/TLS certificates. Do you want to know why you should renew the certificates as soon as possible?
What happened to the certificates?
During this morning, the Let’s Encrypt team has sent an email to all users affected by a failure to issue certificates in the last 90 days. The development team has determined that a bug has made it possible for “challenges” through TLS-ALPN-01 They do not meet the requirements for issuing certificates, so Let’s Encrypt is going to revoke the thousands of certificates that have been issued in the last 90 days through the TLS Challenge. The Let’s Encrypt team has stated that they will fix this issue by revoking all non-expired certificates that use this validation method on January 28, 2022 at 16:00 UTC, thus asking all users to renew their certificates as soon as possible.
If you are a Let’s Encrypt user and you use TLS Challenge as a validation method, your certificate will be automatically revoked within two days, so you must force a renewal as soon as possible before they are revoked, so as not to have problems when access from outside. If you have a web server that uses these digital certificates, you will need to renew them and ensure that the new certificates are fully operational.
In our case, we use this validation method with the popular Traefik, the reverse proxy to access different web resources on our local network. To force the generation of the new certificates we had to delete the acme.json file that we created back then, create it again empty and give it the appropriate permissions, finally, we have restarted Traefik and some new certificates have been downloaded. If you are a user of this reverse proxy or any other that uses Let’s Encrypt, you will have to go through a similar process to avoid problems from Friday, January 28.
What do I do if I have problems renewing them?
In the forum of Let’s Encrypt community there is a thread created specifically for this problem, they tell us that if we have any kind of problem when renewing the certificate using the TLS-ALPN-01 challenge before revocation, we can put a comment and they will help us solve the error. We must remember that this forced revocation only affects certificates that use TLS-ALPN-01 as a validation method, other validation methods are through HTTP and also through DNS.
In the forum thread you can find both the help of the Let’s Encrypt developers and the community, since all the software to force the renewal of certificates exist and are widely used by many users.