Let's Encrypt issue affects Upspin servers

[Andrew Gerrand]

If you don't operate an Upspin server you can stop reading now.

In response to a security issue, the Let's Encrypt certificate authority has ceased responding to tls-sni challenge requests. This is the mechanism that most Upspin servers use to obtain TLS certificates.

Until Let's Encrypt changes their policy, or we roll out a change to use a different mechanism, Upspin servers will be unable to obtain TLS certificates. That means that newly deployed Upspin servers will not work, and that existing Upspin servers will not be able to renew their TLS certificates.

To check the expiry of an existing cert, visit https://your-server-address in a web browser and click the lock icon that beside the URL. It should look something like this:

The Upspin key server (key.upspin.io) and web site are unaffected by this (their certs don't expire for a month or more). 

Stay tuned for more information.

Andrew

(See this article for more details on the vulnerability.)

[David Presotto]

From https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Update #1: We have decided to re-enable the TLS-SNI-01 challenge for certain major providers who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general. We’re doing this as a safe way to restore service faster for a large number of sites.

Of course they don't say which providers those are...

--
You received this message because you are subscribed to the Google Groups "Upspin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to upspin+unsubscribe@googlegroups.com.
To post to this group, send email to ups...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/upspin/CAHxS-ot%2B4s2fJg4yQCx0VHzT1CfSnFP3UfyHVY%3DMh%3DWsWaXGPQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.