Let’s Encrypt revokes recently issued ALPN certificates
Let’s Encrypt will revoke recently issued SSL and TLS certificates from Friday. The certificate authority does this after vulnerabilities are discovered in the web domain authentication method. That has been changed, but recent certificates need to be reissued.
Let’s Encrypt writes that it will start revoking certain certificates from January 28 at 3 PM. This takes place over a period of five days. This concerns all certificates created before January 25 at 23:48 using the TLS-ALPN-01 method. Let’s Encrypt does not say how many certificates are involved, but estimates that it is ‘less than one percent’ of all active certificates that the authority has issued. Administrators will be notified if their email address is known to Let’s Encrypt, but many website administrators rely on their hosting provider for their certificates.
According to Let’s Encrypt, there is “an irregularity” in the “TLS Using ALPN” validation method that Let’s Encrypt uses to verify domains. It contained two errors, which Let’s Encrypt does not elaborate much on, but which it writes that it has corrected. TLS-ALPN-01 is a validation method that is not used by default in CertBot. Administrators can use the method to validate ALPN certificates. The feature was temporarily disabled, but is now working again, Let’s Encrypt says.