Let's Encrypt revokes all TLS-ALPN-01validated certs

kor · January 26, 2022, 7:08am

Good Morning,

I believe a lot of people got something like that today:

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let’s Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

xxxxx

We’ve determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

Questions about Renewing before TLS-ALPN-01 Revocations - Help - Let's Encrypt Community Support

Thank you,

The Let’s Encrypt Team

Is there a way to --force-renew our certs for the proxy admin page? I can see the certs for the tunnels, but not for the admin page itself in boringproxy_db.json.

anders · January 26, 2022, 8:36am

Thanks for the heads up! This is the first I’ve heard of this. Unfortunately there’s not a way to do this from the UI. Might need to add it.

boringproxy uses certmagic under the hood. You can delete certs manually by removing them from ~/.local/share/certmagic. Should be safe to delete the entire directory (maybe back it up first).

kor · January 26, 2022, 8:55am

Hi @anders

Thank you for your feedback. Yes, I believe the guys over at LetsEncrypt have a bad day

Your suggestion worked like a charm:

systemctl stop boringproxy-server
mv /home/boringproxy/.local/share/certmagic{,.bak}
systemctl start boringproxy-server