Action required: update your Upspin servers

[Andrew Gerrand]

If you have not deployed an Upspin server then you can stop reading now.

The recent discovery of a security vulnerability in the Let's Encrypt tls-sni-01 challenge protocol has led the Let's Encrypt Certificate Authority to cease validating requests using tls-sni.

Upspin servers previously used tls-sni-01 to obtain TLS certificates, and they have now been updated to use the recommended http-01 challenge instead. For the http-01 challenge to work, servers must listen on ports 80 and 443 (instead of just 443, as before).

Upspin servers that use the built-in Let's Encrypt support (including upspinservers deployed using upspin-ui) must be updated, or they may not be able to obtain or renew TLS certificates (making the servers unusable).

If you deployed upspinserver to Google Cloud Platform using upspin-ui, run this script which adjusts the firewall and startup scripts to permit access on port 80.

If you deployed upspinserver by another method, please build from the latest sources, update your server, and configure any firewalls or proxies to pass ports 80 and 443. (You can do this on GCP through the Cloud Console. Find the Compute instance, click edit "VM instance details", and under "Firewalls" heading check the box for "Allow HTTP traffic.")

For Upspin-specific details about the update, see issue 568.

Sorry for the trouble.

Andrew

on behalf of the Upspin team