はてなブックマーク

We have made two changes to the way that our TLS-ALPN-01 challenge validation works. These changes will only affect clients that specifically use TLS-ALPN-01; for example, it is not a default choice in Certbot. First, we now guarantee that our client which reaches out to conduct the “acme-tls/1” handshake will negotiate TLS version 1.2 or higher. If your ACME client or integration only supports a

For compatibility with older Android devices, we'll be relying on a signature from an expired root, which is supported by Android. However, as Ryan Sleevi points out in “Path Building vs Path Verifying,” older versions of OpenSSL will reject a certificate chain that includes a signature by an expired root, even if OpenSSL could validate the chain by ignoring that certificate. Let’s Encrypt is not

[Edit September 2020: I’ve updated the change date in this post to refer to the current plan, to make it easier to find] We’re going to delay the transition to ISRG’s root a little further, to January 11 2021. The patterns of Android adoption have not significantly improved since last year. According to numbers from Android Studio, only 66% of Android users are on version 7.1 or above, which inclu

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by r

On Wednesday February 19th, 2020 we’ll turn on stricter validation requirements in production. We’ll make multiple validation requests from different network perspectives. Most issuance should continue as normal; we believe that a small number of domain names may need fixing. The most common issue will be hosts that use extremely strict firewall rules to allow validation from only specified IP add

Summary As of November 15th, 2018 our DNS resolvers (both staging and production) advertise an EDNS reassembly buffer size of 512 bytes. This change should not require any adjustment by subscribers. Background Previously we shared our initial thoughts on a potential mitigation to help defend against DNS fragmentation attacks. By reducing the maximum size of responses we’re willing to accept over U

We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates. ACMEv2 is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry e

[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] Please see this post for background information. The last 48 hours have been a busy time for Let’s Encrypt staff. We’ve been working hard to come up with a plan for ACME TLS-SNI validation that sufficiently protects the integrity of Web PKI while minimizing problems for people an

[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge t

Update: Please see the full final report here. On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients cou

As previously announced in Ending OCSP Support in 2025, Let’s Encrypt has now disabled support for requesting certificates with the OCSP Must-Staple extension. Accounts that requested a Must-Staple certificate after Octo…