Most certificates managed by autocert require manual renewal

1552 views
Skip to first unread message

Roland Shoemaker

unread,
Jan 26, 2022, 7:09:27 PMJan 26
to golan...@googlegroups.com
Hello gophers,

The Let’s Encrypt certificate authority is revoking all certificates issued with the TLS-ALPN-01 verification method before 00:48 UTC on 26 January 2022 due to a compliance issue. (Read more in the Let’s Encrypt announcement.) As TLS-ALPN-01 is the preferred and default verification method used by golang.org/x/crypto/acme/autocert, most certificates managed by autocert will be revoked beginning at 16:00 UTC on 28 January 2022. This will cause connection errors on some platforms.

We recommend updating the golang.org/x/crypto module to version v0.0.0-20220126234351-aa10faf2a1f8 (or later), which will automatically renew potentially affected certificates issued before Let’s Encrypt deployed their fix.

Alternatively, delete ALL files in the autocert cache EXCEPT "acme_account+key" or "acme_account.key", and restart the application. If using autocert.NewListener on Linux, the cache is located at $XDG_CACHE_HOME/golang-autocert or $HOME/.cache/golang-autocert.

In order to get notified of similar issues in the future, we recommend setting the Manager.Email field.

Cheers,
Go Security team
Reply all
Reply to author
Forward
0 new messages