Angus Robertson 577 Posted January 26, 2022 Let’s Encrypt / ISRG has today fixed a problem in the server software that issues certificates validated with the “TLS Using ALPN” method, that meant some existing certificates could have been incorrectly issued (they estimate 1%) and is therefore revoking those certificates at 16:00 UTC on 28 January 2022. This will cause servers using these certificates to display untrusted warnings in most browsers and applications that check for revocation. ICS applications using servers with Hosts that automatically order SSL certificates using CertChallenge with ChallAlpnApp will be using these soon to be revoked certificates. Although ICS servers check the validity of SSL certificates, they do not currently check for revocation, mainly since this is the first time in 20 years of my using SSL certificates it has happened. So manual intervention is needed in the next two days, simply delete the certificate file specified in the host property SslCert and restart the server. Upon startup, the server will create a self signed certificate to allow it to start, then immediately order a new Let’s Encrypt certificate which should be downloaded and automatically installed within about 15 seconds. If the server application implements regular certificate checking with the RecheckSslCerts method (the OverbyteIcsSslMultiWeb/Ftp samples do that every two hours), the new certificate will be ordered without restarting the server. ICS client application are not directly effected by these certificates being revoked, unless they access servers that have not replaced the revoked certificates and implement certificate chain checking using the Windows store with the SslRevocation property set true. Because checking revocation slows down connection time, many applications don't do it. But I will look at implementing it in ICS for use with our PEM CA bundles and servers in particular. Anyone whose applications have ordered Let's Encrypt certificates that are about to be revoked should have received an email warning already. https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450 Angus 1 Share this post Link to post