diff --git a/udm-le.env b/udm-le.env
index f2c3122..c46dcf3 100644
--- a/udm-le.env
+++ b/udm-le.env
@@ -23,12 +23,10 @@ NO_BUNDLE="no"
 # Enable updating Radius support
 ENABLE_RADIUS="no"
 
-# Allows CNAMEs to be resolved. When true, allows resolving _acme-challenge.* in case it
-# has a CNAME pointing to a different domain. With this, make sure the DNS provider config
-# is for the provider the CNAME points to.
-#
-# Leave this disabled if you don't know what this means as most configurations don't need it.
-LEGO_EXPERIMENTAL_CNAME_SUPPORT=false
+# Disable support for CNAME resolution. When false, allows resolving _acme-challenge.* if you
+# have a CNAME pointing to a different domain. This is generally not something people need, so leave
+# this alone unless you've explicitly set up a CNAME and understand the implications.
+LEGO_DISABLE_CNAME_SUPPORT=true
 
 # The DNS resolver used to verify records. Change this to a public DNS resolver if you have
 # modified your UDM's upstream DNS servers to point to an internal resolver that is the
@@ -129,8 +127,8 @@ DNS_RESOLVERS=""
 UDM_LE_PATH="/data/udm-le"
 
 # LetsEncrypt Configuration
-LEGO_VERSION="4.16.1"
-LEGO_SHA1="9e97a07db0660c69100327a67e839186153ce5df"
+LEGO_VERSION="4.17.4"
+LEGO_SHA1="637144bb79f42f7a4884bd98be7decb1679e4322"
 LEGO_DOWNLOAD_URL="https://github.com/go-acme/lego/releases/download/v${LEGO_VERSION}/lego_v${LEGO_VERSION}_linux_arm64.tar.gz"
 LEGO_BINARY="${UDM_LE_PATH}/lego"
 LEGO_PATH="${UDM_LE_PATH}/.lego"