Certificate Validation Domain Change

In October of 2021, we began using a Let's Encrypt certificate for our ServiceNow instance. Everything was working with no issues until yesterday 9/11 morning. After much troubleshooting, we found the certificate validation process began utilizing the lencr.org domain for online certificate validation. This caused an issue as our network was not allowing traffic to lencr.org, only letsencrypt.org. Did something change this weekend on Let's Encrypt side to force the new domain for certificate validation?

Just trying to find out why we were working with no issues until yesterday morning and they only change we needed on our side was to allow the new web domain for certificate validation.

1 Like

Welcome @JustinLewis

No changes to note this past weekend. Have you changed your ACME client or perhaps SSL monitoring systems recently? Note many ACME clients will only try to renew a cert within 30 days of expiration. So, changes since your last cert was issued might just become visible now. Still, no changes on LE side that would explain this.

Maybe this page answers your question? Let us know if it does not

6 Likes

Thank you for the information. We did review the site you suggested however it appeared this action was taken late in 2021. Our Let's Encrypt SSL certificates appeared to have been renewed on 8/19, so still not understanding why the sudden change.

Thank you for the feedback.

2 Likes

Where are you seeing lencr.org?

The only outgoing traffic should be to https://acme-v02.api.letsencrypt.org/directory. Inbound validation of challenges can happen from any number of undisclosed IPs.

The only things that lencr.org are commonly used for are hosting the certificate verification information (CRL, OCSP, Root links, etc). See the link @MikeMcQ posted for more details on that.

4 Likes

Our browser was performing a certificate revocation check on our Let's Encrypt certificate.

Using certutil, we found the certificate revocation checking was going to r3.i.lencr.org and r3.o.lencr.org, to validate base certificate and then going to either apps.identrust.com and crl.identrust.com or x1.i.lencr.org and x1.c.lencr.org to validate the intermediate R3 certificate.

1 Like

Those have been pointing to lencr for quite some time now. Perhaps your browser never did a CRL/OCSP check before?

6 Likes