You are here
Let's Encrypt: TLS-ALPN-01 Revocations (URGENT)
Last update on 26. January 2022 - 15:44.
Let's Encrypt planned a revocation on 28. January 2022 for certain certificates [1].
If you are using Let's Encrypt it might be possible that your web services are no longer accessible with most web browsers after 28. January 2022!
Affected users should be informed by email by let's Encrypt. We recommend following the steps below before 28. January 2022 for all Airlock Gateway systems where Let's Encrypt is in use.
[1] https://community.letsencrypt.org/t/170449
Step 1) Set the following global Apache Expert Setting in the Configuration Center ("Expert Settings" - "Security Gate / Apache" - "Apache") on every Airlock Gateway using Let's Encrypt.
MDRenewWindow 88d
Step 2) Activate the configuration.
All Let's Encrypt certificates should now be renewed within a few minutes.
Step 3) Remove the Expert Setting from step 1 and activate the configuration again after all certificates are renewed e.g. after 24 hours. See the following section to verify the renewal of the certificates. This step is important because otherwise your certificates will be renewed every 2 days (90d default validity - 88d expert setting = 2d).
Verify Renewal
The renewal can be verified using a Browser by checking the issuing date of the domain certificate. See example screenshot below:
Alternatively the following Shell command can be used on Airlock Gateway to check the issuing date of all Let's Encrypt certificates on the system:
for i in /var/airlock/ext-apache/md/domains/*/pubcert.pem; do echo -n "$i: "; openssl x509 -in $i -noout -text | grep Before; done
Example output:
/var/airlock/ext-apache/md/domains/ciphertest.ergon.ch/pubcert.pem: Not Before: Jan 22 15:16:54 2022 GMT
The issuing date of the renewed certificate is set to the current renewal time minus 1 hour.