[fqdn]: The certificate retrieved from your web server has serial 2e9227dc5c45441c, which is different than the serial in our affected data set. Your certificate has most likely been renewed. Everything appears good.
HUZZAH!
2 Likes
The Let's Encrypt staff might want to update this page on Challenge Types and maybe add a warning.
The TLS-ALPN-01 challenge type is re-enabled and working properly, so it's not clear what information and utility a warning on that page would convey.
2 Likes
Maybe just heighten awareness there was a recently corrected issue.
It was just a thought. Not trying to add to the Let's Encrypt staff as you all are plenty busy and doing a great job. Thanks!
1 Like
The revocations are complete and our OCSP response cache reflects the revoked status.
4 Likes
I am using traefik and got the email to renew. When I cleared my acme.json file and checked the logs I got this message:
Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt"
I have gone back my original certs, but some browsers are failing.
Can we have a temporary increase in the rate limiting?
I tried using Firefox to check the revoked certificate website, I got error about the revoked certificate.
But when I tried using Chrome (even with in-cognito mode) for the same website, no error at all. So, Chrome ignore revoked certificate? I am using:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Chrome: Version 97.0.4692.99 (Official Build) unknown (64-bit)
If OCSP is not stapled, OCSP requests from the browser can be a privacy issue. As far as I know, Chrome indeed does not actively request OCSP statusses, probably for this reason. Firefox might be actively requesting OCSP statusses, so that might explain the difference. This can be disabled I believe. And perhaps enabled in Chrome, not sure about that tho.
Note: if an OCSP status is stapled, all browsers should reject the connection to the host serving the revoked certificate. (Although perhaps the older, valid OCSP status could be cached for a few days.)
Also note that Let's Encrypt does not use certificate revocation lists (CRL) for their subscriber certificates, only OCSP.
4 Likes
Hello,
I just renewed my certificate. On my server I can see that the certificate is up to date (see screenshot below).
However, when I try to connect to the site, it is always unavailable and it is always the old certificate.
Any idea where the problem comes from?
Firefox and Chrome have different stances on checking certificate status and displaying warnings to users. Firefox queries OCSP for a given domain and uses that information to display errors and warnings; Chrome does not.
If this is your site, then you need to renew and replace and the certificate so Firefox users wonât see an error.
4 Likes
You probably need to reload or restart or your web-server. Some clients handle this automatically after renewal, but not all of them. After reloading, your web-server should present the renewed certificate thatâs on-disk when clients connect to the site.
3 Likes
Hi @jillian could you maybe temporarily help to raise our account limit for new orders? Otherwise we would have to ask every few minutes as the limit is only 300. We are in the process of re-issuing > 18k certificates which are all revoked. Unfortunately we did not get the email and now all our customers (we provide website hosting) are contacting us.
Account ID: 45062927
1 Like
I restarted the server but that didn't fix anything.
Sorry to hear that. I am not sure why your web-server is not serving the new certificates that you see on disk. You should also check your web-serverâs configuration to make sure the paths are configured correctly for the certificate. If you have trouble reviewing the configuration or donât see that as the problem, please open a new Help thread with the details filled out so our community can help you.
3 Likes
For your issue, I think it's probably a good idea to open a new thread in the #help section all on its own, so we can help you the best.
3 Likes
It has already been increased:
Are you still hitting the limit? Perhaps it's a good idea to throttle your ACME client?
3 Likes
If you are seeing âtoo many failed authorizations recentlyâ then you might have a buggy client that is attempting and failing to renew on regular intervals and hitting the limit. The rate limit is
There is a Failed Validation limit of 5 failures per account, per hostname, per hour.
We donât provide overrides for that limit, but it rolls over every hour (sliding window).
You should search the forums or open a new #help-thread with your details to get support on the errors you are seeing
3 Likes
Thanks @Osiris I DMd to discuss more details about rate limit adjustments. When more Letâs Encrypt staff is online, weâll be able to provide them an override to renew certificates faster.
4 Likes
I have been trying to renew my certificates since the start of this revocation. The LE test server permits me to renew without issue, but the production servers do not. From the response, it looks like a request my be pending for the next month. Is there anything I can do to /unstick/ this request?
[Sat 29 Jan 2022 09:03:51 AM PST] _candidates='X.XX.XX,{"identifier":{"type":"dns","value":"X.XX.XX"},"status":"pending","expires":"2022-02-28T17:03:50Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/MZ2_90HxPJoMOG8hIJ59Hg","status":"pending","token":"ac5FPUnVxhf-kKHCrK4pLIcL4MdtdkclcqgzRhhjaCc"},{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/q_C9FbLOKvnwh0t1q7sAZg","status":"pending","token":"OUr3-zw-Zg0EfdOHKDoN4yY4nSWDxdlk18UTKjhfi68"}]}'
[Sat 29 Jan 2022 09:03:51 AM PST] response='{"identifier":{"type":"dns","value":"X.XX.XX"},"status":"pending","expires":"2022-02-28T17:03:50Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/MZ2_90HxPJoMOG8hIJ59Hg","status":"pending","token":"ac5FPUnVxhf-kKHCrK4pLIcL4MdtdkclcqgzRhhjaCc"},{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/q_C9FbLOKvnwh0t1q7sAZg","status":"pending","token":"OUr3-zw-Zg0EfdOHKDoN4yY4nSWDxdlk18UTKjhfi68"}]}'
[Sat 29 Jan 2022 09:03:51 AM PST] entry
[Sat 29 Jan 2022 09:03:51 AM PST] Not a wildcard domain, lets check whether the validation is already valid.
[Sat 29 Jan 2022 09:03:51 AM PST] Error, can not get domain token entry X.XX.XX for tls-alpn-01
[Sat 29 Jan 2022 09:03:51 AM PST] The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01