Let's Encrypt revocations affecting TLS-ALPN-01 certificates

On 26 January 2022, Let’s Encrypt notified subscribers that most certificates issued in the last 90 days and validated with the TLS-ALPN-01 challenge will be revoked on 28 January 2022 and should be immediatelly renewed. This revocation only affects certificates issued and validated with the TLS-ALPN-01 challenge.

This is the official communication from Let’s Encrypt:

We’ve determined that an error made it possible for TLS-ALPN-01 challenges, completed before today, to not comply with certificate issuance requirements. We have remediated this problem and will revoke all unexpired certificates that used this validation method at 16:00 UTC on 28 January 2022. Please renew your certificates now to ensure an uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support in the renewal process, please comment on our forum post. Our staff and community members are available to help:

https://community.letsencrypt.org/t/170449

In our case and the case of our customers, the impact is limited to the certificates used by the Teleport servers and the ones managed by Caddy servers. Certificates in Kubernetes clusters are not affected as cert-manager doesn’t use the TLS-ALPN-01 validation method to request certificates from Let’s Encrypt.

We’ve already renewed the certificates from all Teleport servers and triggered our Caddy servers to generate new whitelabel and customer certificates. All Let’s Encrypt certificates are now good to go, and no actions are requied from your side.