Updates to althttpd.c for LetsEncrypt compatibility

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Updates to althttpd.c for LetsEncrypt compatibility

Richard Hipp-3

If you are using althttpd.c on your website, you will need to get the
latest code and recompile before the next time you need to get a cert
from LetsEncrypt.

There are no (known) vulnerabilities or problems with althttpd.c.
This is merely an update for LetsEncrypt compatibility due to recent
changes in the LetsEncrypt certbot.


The althttpd.c webserver has nothing to do with SQLite, except for the
fact that it was created to host the https://sqlite.org/ website, and
the source code to althttpd.c is hosted on the SQLite documentation
repository.  See the althttpd documentation and source code here:


Reason for the change:

Today, I was notified by LetsEncrypt that they will be revoking some
certs because of a bug in their website validation system.  The cert
for sqlite.org was among those being revoked.  Owners of those certs
were advised to get a new cert before tomorrow.

But in the meantime, LetsEncrypt has modified their certbot so that it
no longer worked with the legacy althttpd.  Althttpd takes certain
security precautions that are incompatible with the new LetsEncrypt
certbot.  So, in order to get a new cert, althttpd had to be modified
to make an exception to the security precautions for LetsEncrypt.

So, if you are one of the handful of people who are using althttpd.c
for your own website, you should probably download the new althttpd.c
source file and recompile.  You will almost certainly need to do this
before you get your next cert from LetsEncrypt.  And you might need to
do that before tomorrow.
D. Richard Hipp
[hidden email]
sqlite-users mailing list
[hidden email]