You are here

Let's Encrypt: TLS-ALPN-01 Revocations (URGENT)

Description: 

Let's Encrypt planned a revocation on 28. January 2022 for certain certificates [1].

If you are using Let's Encrypt it might be possible that your web services are no longer accessible with most web browsers after 28. January 2022!

Affected users should be informed by email by let's Encrypt. We recommend following the steps below before 28. January 2022 for all Airlock Gateway systems where Let's Encrypt is in use.

[1] https://community.letsencrypt.org/t/170449

Workaround: 

Step 1) Set the following global Apache Expert Setting in the Configuration Center ("Expert Settings" - "Security Gate / Apache" - "Apache") on every Airlock Gateway using Let's Encrypt.

MDRenewWindow 88d

Step 2) Activate the configuration.

All Let's Encrypt certificates should now be renewed within a few minutes. 

Step 3) Remove the Expert Setting from step 1 and activate the configuration again after all certificates are renewed e.g. after 24 hours. See the following section to verify the renewal of the certificates. This step is important because otherwise your certificates will be renewed every 2 days (90d default validity - 88d expert setting = 2d).

Verify Renewal

The renewal can be verified using a Browser by checking the issuing date of the domain certificate. See example screenshot below:

Alternatively the following Shell command can be used on Airlock Gateway to check the issuing date of all Let's Encrypt certificates on the system: 

for i in /var/airlock/ext-apache/md/domains/*/pubcert.pem; do echo -n "$i: "; openssl x509 -in $i -noout -text | grep Before; done

Example output:

/var/airlock/ext-apache/md/domains/ciphertest.ergon.ch/pubcert.pem:             Not Before: Jan 22 15:16:54 2022 GMT

The issuing date of the renewed certificate is set to the current renewal time minus 1 hour.

Knowledge Base Categories: