Attacked by ransomware

Our RHEL server running certbot was attacked by a ransomware. All our server including server configuration is encrypted, backup are encrypted as well. We are in the process of reconstructing the letsncrypt configuration from scratch. Is there any way we can rebuilding the letsncrypt configuration to renew our SSL certificates?

our domains are: psychologyinaction.org,scienceandfood.org,dishlab.org,xiao-lab.org,californiaregionalcollborative.org

My web server is (include version):
Apache 2.5
The operating system my web server runs on is (include version):
RHEL 8.9

My hosting provider, if applicable, is:
On premises

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22

Thanks
Desperate sysadmin

Unless you have something special arranged for your ACME account with Let's Encrypt (such as a rate limit increase or being on the E1 intermediate allowlist, which most people don't have) then you should be able to just set up a server fresh, with new certificates and a new ACME account, just like you did the first time.

Ideally you would revoke your existing certificate for keyCompromise (and close your existing ACME account), but if you don't have access to the account key anymore then that might be challenging. It probably isn't the end of the world if you don't, depending on what kind of efforts you're expecting the attacker to take with trying to impersonate your server to its users, and if the attacker actually has access to the key or is just preventing you from having access.

4 Likes

Hi Peter,

Thank you for you promptly answer, unfortunately I don’t have the account key anymore, like I said, everything was compromised! Is there any way I can retrieve my account key through letsesncrypt or gain access to my exiting account. Even if I start with a new fresh installation and request brand new SSL certificates for the domains before mentioned will I b able to download them? Or they are locked to the compromised account?

Desperate sysadmin

1 Like

I'm saying to forget your existing account and just make a new one. An ACME account doesn't have a lot "attached" to it. Just install certbot (or whatever client you want to use) on your fresh installation and forget your old server existed, and your new server should be fine.

After that, if you want to worry about trying to revoke your compromised certificate which can help mitigate some attacks on your users, you can worry about that.

3 Likes

No, the ACME protocol uses public/private keypairs for the ACME accounts. And just like the private keys from the certificate, those account private keys are not stored at Let's Encrypt, only locally.

That said, I agree with Peter: just register a new account.

2 Likes

I understand that, but what happens when I request new SSL certificates for the domains aforementioned after the new installation? Will I be denied the request because those certs belong to another account?

There won’t be a problem because another account was used in the past, you can just request a new cert.

5 Likes

ok thank you everybody for the help.

I change my status from desperate to hopeful sysadmin

3 Likes

After issuing the new Certificates, you should revoke the old certificates.

Information on how to do this is here: Revoking Certificates - Let's Encrypt

You should be able to get a copy of the old certificates (issued against the compromised key) from crt.sh or another Certificate Transparency Log. Once you authenticate the domains against the new account key to generate the new certificates, LetsEncrypt will allow that account to revoke the old certificates.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.