[Question] How to renew certificates to fix Let's Encrypt revocations bug

natemcmaster / LettuceEncrypt

Free, automatic HTTPS certificate generation for ASP.NET Core web apps

https://nuget.org/packages/LettuceEncrypt

Apache License 2.0

1.55k stars 153 forks source link

[Question] How to renew certificates to fix Let's Encrypt revocations bug #238

Closed GabrielMajeri closed 2 years ago

GabrielMajeri commented 2 years ago

I've received the following e-mail this morning, from Let's Encrypt, related to an ASP.NET Core web app I'm securing using LettuceEncrypt. It's related to a problem they had with the TLS-ALPN-01 challenge method:

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

 <censored>

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

https://community.letsencrypt.org/t/170449

Thank you,

The Let's Encrypt Team

Do you have some recommendations on how this will affect LettuceEncrypt users? Is there anything I can do to help/force LettuceEncrypt to renew the certificate, as requested by Let's Encrypt? I've tried looking it up in the README, but it's not very clear how I can do this (without deleting all my existing certificates, which might not be the right solution?)

lawrence-laz commented 2 years ago

Just went through the process for the same reasons so thought I would share.

I was persisting certs locally, so if you are doing it differently it might not work:

services
  .AddLettuceEncrypt()
  .PersistDataToDirectory(Directory.CreateDirectory("/data/lets-encrypt"), "secret");

Rename your certs folder:

mv /data/lets-encrypt/certs /data/lets-encrypt/certs_old

Restart application:
```
systemctl restart my-app
```

View logs, cert should be recreated

[18:36:50 INF] Created certificate CN=my-app.com (OIHIUHEFIUOWEHFOIUH#$I@UH$OI@U#H$)
Created certificate CN=my-app.com (EFWF@#$F$#GT#$T$#T#$T$#F)
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
[18:36:47 INF] Creating certificate for my-app.com
Creating certificate for my-app.com
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]

Check folder for a new cert
```
ls /data/lets-encrypt/certs
```
Check for connection in browser, make sure that cert's issue day is today

GabrielMajeri commented 2 years ago

Thank you, @lawrence-laz! This solution works perfectly.

I'll ask @natemcmaster to close this issue if they don't have a suggestion for a different way of force-renewing the certificate, and maybe pinning this issue to help other interested people find it.

natemcmaster commented 2 years ago

Deleting the certs folder and restarting the server is the mechanism I would recommend, too. Thanks for sharing the details, @lawrence-laz

GabrielMajeri commented 2 years ago

Great! I'm closing this, then.