Batch of R10 and R11 certificates revoked (superseded) at same time day 2024-10-01

We have noticed that some certificates got revoked yesterday (2024-10-01) between 21:49:00 and 21:52:00 UTC. All the certificates have the reason 4 for the revocation (superseded), so I'm wondering what could have triggered this. Here are some examples of certificates that got revoked:

["domain":"api.liveops-collectibles-admin.us-east-1.general.stag.wildlife.io","notAfter":"2024-12-01 13:04:09 +0000 UTC","port":"443","reason":"4","revokedAt":"2024-10-01 21:49:58 +0000 UTC","status":"revoked","subject":"R11"},
{"domain":"font-usage-api-prod.ufcg-fonts.us-east-1.general.prod.wildlife.io","notAfter":"2024-11-24 14:02:39 +0000 UTC","port":"443","reason":"4","revokedAt":"2024-10-01 21:51:19 +0000 UTC","status":"revoked","subject":"R10"},
{"domain":"load-test-api-api-stag.load-test-api.us-east-1.general.stag.wildlife.io","notAfter":"2024-11-07 18:05:19 +0000 UTC","port":"443","reason":"4","revokedAt":"2024-10-01 21:49:42 +0000 UTC","status":"revoked","subject":"R11"},
{"domain":"api.maestro-next.warmachines.eu-central-1.general.prod.wildlife.io","notAfter":"2024-12-10 14:06:49 +0000 UTC","port":"443","reason":"4","revokedAt":"2024-10-01 21:50:25 +0000 UTC","status":"revoked","subject":"R10"}
]

Hi @RonnanSouza, and welcome to the LE community forum

Have a read at:

I checked the first name you listed ("api.liveops-collectibles-admin.us-east-1.general.stag.wildlife.io") and it seems to fit.

See:

image404×515 9.92 KB

image405×516 10.2 KB

Well this sucks that it was done this way with no prior warning.
For the most part it's Letsencrypt's own fault that there's so many certs out there with this problem, generally because the validation of CNs is still wrong after all these years, and they're being set to blank when they are over 64 chars (which should be the limit for a base dns name, not for a FQDN) but ACME also requires the CN to be a DNS name.
So any cert which has a FQDN > 64 chars currently has this issue in Letsencrypt. That should be fixed on the ACME API's side first and the majority of this problem would've solved itself without actively revoking certificates and causing outages everywhere..

The only issue on Let's Encrypt side was with the documentation, which said that they would include a CN, even though they changed last year to allow for certificates where no domain name in it would fit in a CN. So they needed to revoke the certificates since they weren't compliant with their published policies. But then they updated the policy to allow them. So if a certificate with only longer hostnames is renewed, then you'd get the same lack of CN as before.

The way the problem would solve itself is through ACME clients checking ARI (or at least OCSP), and renewing it automatically as needed.

Though usually they send an email to the contact provided on the ACME account too, if provided. I don't know if they did in this case.

I beg your pardon?

Let's Encrypt (LE) is a publicly trusted CA and needs to abide to the CA/Browser Forum Baseline Requirements (BR). Let's Encrypt only issues DV (domain validated) certificates and by the BR, LE is only allowed to put a DNS name from the SAN in the CN. (See section 7.1.2.7.2 "Domain Validated" of the current BR).

So there is nothing to "fix".

Also, due to the problem with the CP/CPS LE was in violation of the BR. If CAs do not respond properly to any BR violation, the browsers can revoke their root certificates! Thus nothing would have "solved itself"! Not revoking these certs would present a HUGE problem for LE with regard to BR adherence.

Please read more into the web PKI before making bold statements. Thank you

Also note that LE supports the (currently draft) ACME Renewal Information (ARI) protocol, which if implemented would have automatically renewed any certificate about to get revoked. You might want to read into that and possibly implement it in your ACME setup.

And adding to the comments of Peter and Osiris you can review the announcement about the change for very long domain names from Nov 2023 here:

Indeed. Before that change it was not even possible to get such certificates..

Not exactly.
For certs that contain only one name that would be true.
But LE allows for up to 100 FQDNs in the SAN field.
If any of them where < 65 chars, I suspect that it would have used the first one found.

So...
I can see where there are certs that contain SAN entries with > 64 chars and were not revoked.

Correct. It only applies for certs without any SAN <65 chars. As I mentioned in Public comments on "No Meaningful Subject Distinguished Name" - #8 by Osiris that would be just 0.03 to 0.04 % of all issued certs.

I stand corrected, I wasn't aware that there was a specific limit of 64 chars on the CN portion of the DN, and I indeed missed some of the announcements there.

Thank you all for the insights and info provided

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.