Bari mu Encrypt, wata hukuma ce mai zaman kanta ta takaddun shaida wacce al'umma ke sarrafa kuma tana ba da takaddun shaida kyauta ga kowa da kowa, ta sanar da soke farkon takaddun shaida na TLS miliyan biyu, wanda kusan kashi 1% na duk takaddun shaida na wannan ikon tabbatarwa. An ƙaddamar da sokewar takaddun shaida saboda gano rashin bin ƙayyadaddun buƙatun a cikin lambar da aka yi amfani da ita a cikin Bari Mu Encrypt tare da aiwatar da tsawaita TLS-ALPN-01 (RFC 7301, Tattaunawar yarjejeniya-Layer Protocol). Bambancin ya samo asali ne saboda rashin wasu cak da aka yi yayin aiwatar da shawarwarin haɗin gwiwa dangane da tsawo na ALPN TLS da aka yi amfani da shi a cikin HTTP/2. Za a buga cikakken bayani game da abin da ya faru bayan an kammala soke soke takaddun shaida mai matsala.
A ranar 26 ga Janairu da ƙarfe 03:48 (MSK) an gyara matsalar, amma duk takaddun shaida da aka bayar ta hanyar amfani da hanyar TLS-ALPN-01 don tabbatarwa an yanke shawarar soke. Za a fara soke takaddun shaida a ranar 28 ga Janairu da ƙarfe 19:00 (MSK). Har zuwa wannan lokacin, masu amfani da hanyar tabbatarwa TLS-ALPN-01 ana ba su shawarar sabunta takaddun shaida, in ba haka ba za a lalata su da wuri.
Ana aika sanarwar da suka dace game da buƙatar sabunta takaddun shaida ta imel. Masu amfani da ke amfani da Certbot da kayan aikin bushewa don samun takaddun shaida al'amarin bai shafe su ba yayin amfani da saitunan tsoho. Ana tallafawa hanyar TLS-ALPN-01 a cikin fakitin Caddy, Traefik, apache mod_md da autocert. Kuna iya bincika daidaiton takaddun takaddun ku ta hanyar nemo masu ganowa, lambobi ko yanki a cikin jerin takaddun shaida masu matsala.
Tun da canje-canjen sun shafi halayen lokacin dubawa ta amfani da hanyar TLS-ALPN-01, ana iya buƙatar sabunta abokin ciniki na ACME ko canza saituna (Caddy, bitnami/bn-cert, autocert, apache mod_md, Traefik) don ci gaba da aiki. Canje-canjen sun haɗa da yin amfani da nau'ikan TLS waɗanda ba ƙasa da 1.2 (abokan ciniki ba za su daina yin amfani da TLS 1.1 ba) da kuma dakatar da tallafin OID 1.3.6.1.5.5.7.1.30.1, wanda ke gano tsawan acmeIdentifier wanda ya ƙare, goyan baya kawai. a cikin daftarin farko na ƙayyadaddun RFC 8737 (lokacin samar da takaddun shaida, yanzu OID 1.3.6.1.5.5.7.1.31 kawai aka yarda, kuma abokan ciniki masu amfani da OID 1.3.6.1.5.5.7.1.30.1 ba za su iya samun takardar shaidar ba. ).
source: budenet.ru