Non-profit certificate authority, Let’s Encrypt announced that the organization will start revoking certain SSL/TLS certificates issued within the last 90 days. Let’s Encrypt stated that a third party reported that there are two irregularities in the implementation of the “TLS Using ALPN” validation method in the Boulder codebase. The organization made the changes that the TLS-ALPN-01 challenge validation works.
Starts on 28 January
Let’s Encrypt stated that the certificates that were issued and validated before the fix are considered mis-issued. The organization will start revoking these certificates, estimated at less than 1% of active certificates, on 28 January. The organization is sending notifications via email if the subscribers’ ACME account email address is valid.
According to the statement, the changes are only affecting clients that use TLS-ALPN-01. Let’s Encrypt also stated that more information will be provided about the incident in the next few days. Let’s Encrypt also announced,
« First, we now guarantee that our client which reaches out to conduct the “acme-tls/1” handshake will negotiate TLS version 1.2 or higher. If your ACME client or integration only supports a maximum TLS version of 1.1 when conducting the TLS-ALPN-01 challenge, it will break. We are not aware of any ACME clients with this limitation.
Second, we no longer support the legacy 126.96.36.199.188.8.131.52.30.1 OID which was used to identify the acmeIdentifier extension in earlier drafts of RFC 8737. We now only accept the standardized OID 184.108.40.206.220.127.116.11.31. If your client uses the wrong OID when constructing the certificate used for the TLS-ALPN-01 handshake, it will break. Please either update your client, or switch to using a different validation method. »