*.api.letsencrypt.org certificate may be revoked soon


#1

After these finding:

It appear that the certificate currently used for api.letsencrypt.org subdomains (e.g. acme-v01.api.letsencrypt.org and acme-v02.api.letsencrypt.org) is apparently not BR-compliant and thus will probably be revoked:

https://groups.google.com/d/msg/mozilla.dev.security.policy/wqySoetqUFM/A6UH3FpuBAAJ

@schoen @josh Do you plan to renew that certificate, just in case?

https://bugzilla.mozilla.org/show_bug.cgi?id=1446121

Common name: *.api.letsencrypt.org
SANs: *.api.letsencrypt.org, api.letsencrypt.org
Organization: INTERNET SECURITY RESEARCH GROUP
Location: Mountain View, California, US
Valid from June 26, 2015 to June 25, 2018
Serial Number: 7f0000010000014e30d50b6442c92e78
Signature Algorithm: sha256WithRSAEncryption
Issuer: TrustID Server CA A52
https://www.sslshopper.com/ssl-checker.html#hostname=acme-v02.api.letsencrypt.org

Update 17/03:
A new certificate is used, the old one has been revoked.


#2

We’re aware and plans are already underway to make the required changes today.

Thanks for flagging.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.