Jump to content
Angus Robertson

Some Let's Encrypt certificates being revoked on 28 January 2022

By Angus Robertson, in ICS - Internet Component Suite

Recommended Posts

Angus Robertson    526

Angus Robertson
Posted

Let’s Encrypt / ISRG has today fixed a problem in the server software that issues certificates validated with the “TLS Using ALPN” method, that meant some existing certificates could have been incorrectly issued (they estimate 1%) and is therefore revoking those certificates at 16:00 UTC on 28 January 2022.   This will cause servers using these certificates to display untrusted warnings in most browsers and applications that check for revocation. 

 

ICS applications using servers with Hosts that automatically order SSL certificates using CertChallenge with ChallAlpnApp will be using these soon to be revoked certificates.  Although ICS servers check the validity of SSL certificates, they do not currently check for revocation, mainly since this is the first time in 20 years of my using SSL certificates it has happened.

 

So manual intervention is needed in the next two days, simply delete the certificate file specified in the host property SslCert and restart the server.  Upon startup, the server will create a self signed certificate to allow it to start, then immediately order a new Let’s Encrypt certificate which should be downloaded and automatically installed within about 15 seconds.

 

If the server application implements regular certificate checking with the RecheckSslCerts method (the OverbyteIcsSslMultiWeb/Ftp samples do that every two hours), the new certificate will be ordered without restarting the server. 

 

ICS client application are not directly effected by these certificates being revoked, unless they access servers that have not replaced the revoked certificates and implement certificate chain checking using the Windows store with the SslRevocation property set true. 

 

Because checking revocation slows down connection time, many applications don't do it.  But I will look at implementing it in ICS for use with our PEM CA bundles and servers in particular.

 

Anyone whose applications have ordered Let's Encrypt certificates that are about to be revoked should have received an email warning already.

 

https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450

 

Angus

 

 

 

 

 

 

 

 

 

  • Thanks 1

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing ICS - Internet Component Suite
×