Issue with TLS-ALPN-01 Validation Method

No action necessary for Caddy: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;caddyserver&#x2F;status&#x2F;1486226944597233664" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;caddyserver&#x2F;status&#x2F;1486226944597233664</a>

Wonder how many ACME deployments check for revocation, rather than just being on an infrequent cron job? What proportion of affected certificates will be automatically renewed with no effort?<p>Looking at a few docs, probably not many. In any case there isn&#x27;t (?) an in-band way to tell the clients that the cert is going to be revoked before it is revoked, so there would be some disruption.

Can anyone make sense of what they&#x27;re trying to tell there?<p>They found some issue (&quot;irregularities&quot;) and made 2 changes, but the changes are merely restricting the TLS version to 1.2 and deprecating an old OID identifier. While TLS &lt; 1.2 certainly is not ideal, I don&#x27;t see how this would impact the ACME validation, and the old OID should be irrelevant as well.<p>(I have been somewhat concerned about the security properties of the acme&#x2F;alpn validation for unrelated other reasons, but haven&#x27;t been able to pin that down to a specific threat - notably the RFC implies that the security is improved due to strict ALPN validation, which in practice usually does not happen.)<p>Update: RFC 8737 (the ALPN validation method) says &quot;ACME servers that implement &quot;acme-tls&#x2F;1&quot; MUST only negotiate TLS 1.2&quot;. So maybe this is &quot;just&quot; a policy issue?

This is the second security issue with a TLS-based challenge [1]. This was a good reminder to switch to the HTTP challenge for the one remaining server I had that was affected.<p>[1] <a href="https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;challenge-types&#x2F;#tls-sni-01" rel="nofollow">https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;challenge-types&#x2F;#tls-sni-01</a>

Small feedback for the letsencrypt folk: I got the email saying that I have two ACME accounts ids affected. It would have been nice to know which domains are (even if it&#x27;s just the first ~10 or so per account).

What I don&#x27;t quite get with all the certificate automation: Doesn&#x27;t this all effectively just shift the &quot;source of truth&quot; to DNS?<p>Back when certificates were issued manually, a CA was also verifying that the requesting party was actually who they were claimed to be IRL - hence EV certificates and all that.<p>What LE and friends verify on the other hand is simply that the entity that requests a certificate also controls the DNS entry at that point in time - or at least controls some of the servers that are listed in the A&#x2F;AAAA records.<p>For one of the infamous Authoritarian Governments, it should be no problem at all to obtain an LE certificate for any domain under their ccTLD. Just use the DNS challenge, then instruct the country&#x27;s registrar to change the DNS record for the domain of interest.<p>Isn&#x27;t that a massive centralisation compared to the old system?

As my Traefik setup is affected, I cleared the `acme.json` and let Traefik get new certificates for all services.<p>Seems LE is pretty busy right now, got time outs flying around every where.

My traefik setup is affected, should not be to difficult to refresh. It&#x27;s automated anyway