[Question] How to renew certificates to fix Let's Encrypt revocations bug

[GabrielMajeri]

I've received the following e-mail this morning, from Let's Encrypt, related to an ASP.NET Core web app I'm securing using LettuceEncrypt. It's related to a problem they had with the TLS-ALPN-01 challenge method:

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

 <censored>

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

https://community.letsencrypt.org/t/170449

Thank you,

The Let's Encrypt Team

Do you have some recommendations on how this will affect LettuceEncrypt users? Is there anything I can do to help/force LettuceEncrypt to renew the certificate, as requested by Let's Encrypt? I've tried looking it up in the README, but it's not very clear how I can do this (without deleting all my existing certificates, which might not be the right solution?)

[lawrence-laz]

Just went through the process for the same reasons so thought I would share.

0. I was persisting certs locally, so if you are doing it differently it might not work:

   services
     .AddLettuceEncrypt()
     .PersistDataToDirectory(Directory.CreateDirectory("/data/lets-encrypt"), "secret");

1. Rename your certs folder:

   mv /data/lets-encrypt/certs /data/lets-encrypt/certs_old

2. Restart application:

   systemctl restart my-app

3. View logs, cert should be recreated

   [18:36:50 INF] Created certificate CN=my-app.com (OIHIUHEFIUOWEHFOIUH#$I@UH$OI@U#H$)
   Created certificate CN=my-app.com (EFWF@#$F$#GT#$T$#T#$T$#F)
   info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
   [18:36:47 INF] Creating certificate for my-app.com
   Creating certificate for my-app.com
   info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]

4. Check folder for a new cert

   ls /data/lets-encrypt/certs

5. Check for connection in browser, make sure that cert's issue day is today

[GabrielMajeri]

Thank you, @lawrence-laz! This solution works perfectly.

I'll ask @natemcmaster to close this issue if they don't have a suggestion for a different way of force-renewing the certificate, and maybe pinning this issue to help other interested people find it.

[natemcmaster]

Deleting the certs folder and restarting the server is the mechanism I would recommend, too. Thanks for sharing the details, @lawrence-laz

[GabrielMajeri]

Great! I'm closing this, then.