Let’s Encrypt will revoke millions of wrong SSL certificates in 5 days
Let’s Encrypt will revoke millions of wrong SSL certificates in 5 days.
Let’s Encrypt wrongly issued millions of certificates. All wrong certificates will be revoked within 5 days
If you use the free SSL certificate provided by Let’s Encrypt, please check the email you left when you submitted your application.
If you receive a notification from Let’s Encrypt, your certificate is likely to be revoked in the next 5 days.
If the email address you left at that time was filled in casually, it is recommended that you re-apply and issue a certificate based on safety considerations to ensure that the old certificate will not be automatically revoked.
The revocation will start at 16:00 UTC on January 28, 2022 ( UTC +0, the same below ), and the revocation will be completed within 5 days at the latest. If it is fast, the recently issued wrong certificate is likely to be revoked soon. revoked.
Reason for revocation:
According to an announcement published by Let’s Encrypt, Boulder, a third-party repository, notified ISRG (the operator of Let’s Encrypt) that there are two violations of the ALPN TLS verification used by the agency, so ISRG must challenge its TLS-APLN-01 verification efforts way to change.
When deploying the fix at 00:48 on January 26, 2022, Let’s Encrypt engineers said that all certificates issued and verified through the TLS-APLN-01 challenge were wrong. According to the Let’s Encrypt Certificate Policy, the certificate authority must invalidate the wrong certificate within 5 days, and Let’s Encrypt plans to revoke the wrong certificate from 16:00 on January 28, 2022 .
However, please note that not all certificates are affected by this issue, Let’s Encrypt will only revoke the affected bad certificates, and an email notification has been sent to the relevant users.
Let’s Encrypt expects less than 1% of active certificates to be affected by this issue, but considering that Let’s Encrypt has over 221 million active certificates, even 1% affects millions of certificates , which corresponds to millions of websites and web services . Once the certificate is revoked, HTTPS will fail to connect, which directly causes the website or service to fail to connect.
Potential treatments:
The simpler and more straightforward solution is to directly delete the old Let’s Encrypt certificate and then re-apply for the issuance of a new certificate.
Since the repair program has been deployed, there is no problem with the newly issued certificate.
This solution is relatively simple and effective. Because Let’s Encrypt does not provide a way to verify whether the certificate is wrong, if the user does not reserve a real mailbox or does not receive a notification email, he does not know whether his certificate is affected.
Pagoda panel users can turn off the SSL function in the SSL settings of the website, then delete the Let’s Encrypt certificate in the certificate folder, and finally re-apply for issuance.
The operation method of using LNMP user is similar, first comment out the SSL certificate code in the website configuration file (.conf), then delete the certificate (.cer and .key) in the certificate storage path, restart nginx to make it take effect, and finally use it again ACME or cerbot can apply for a new certificate.
Official announcement on this issue:
https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450
