Revoking certain certificates on March 4

Could you tell me please how to renew the certificate within ISPCOnfig? I tried to remove SSL and Letscencrípt and add it again, but the tool says the certification still need to be renewed!

Ok this is complete crap. Fine, there was a bug. I have less than 12 hours to fix this and right now I am 2500 miles from home on vacation, and all I have with me is a cell phone and a bad 3rd world internet connection. It was a complete fluke that the notification email even got to me before this weekend, as I am in Waikiki on a ship that pulls out in a few hours.

I deliberately manually updated certs to avoid this problem while I was gone, and because you guys are giving us literally no time to fix it before you revoke them you are not only screwing up my vacation I don’t even know if I can maintain a connection long enough to get this done. Nor do I know for certain that the one other person with access is available to talk to before you revoke.

4 Likes

In addition to this rate limit override, we just deployed another global rate limit override from 300/3h to 10000/3h for newOrdersPerAccount.

4 Likes

A post was split to a new topic: Baseline Requirements revocation requirement

I would be great if you could mention this in your blog. When I got the mail it looked like some phishing attempt, especially because the Let’s Encrypt homepage doesn’t mention this at all.

4 Likes

2 posts were split to a new topic: Public certificate hostnames

Is LE going to publish their after-incident summary publicly?

I’m excited to hear if there will be any lessons learned for your processes :slight_smile:

2 Likes

2 posts were split to a new topic: Filtering notices for unaffected certificates

We will definitely be conducting an internal post-mortem and will likely share some of it publicly. We have provided an initial Incident Report with more details including some remediation items. here

5 Likes

I had a DNS issue (my secondaries weren’t getting NOTIFY) so I’m getting too many failed authorization requests.

How long till that goes away?

(I fixed the notify issue, and validated that it works with your staging server).

Then they should have sent out the notice 5 days ago, not waited and then give us 12 hours to fix. 4 days ago I was still at home, not on vacation in the middle of the ocean

1 Like

Unfortunately, we have no way to know whether prior certs are still in use after they’ve been renewed. Renewal does not invalidate the old certificate, and some subscribers may use different certificates simultaneously on different endpoints for the same hostname (e.g. CDNs).

3 Likes

I just created a bash script to review if your domains are affected:

(domains_to_review.txt)

b2b.mydomain.com
b2c.mydomain.com

(run_check.sh)

input="./domains_to_review.txt"
while IFS= read -r line
do
DOMAIN=$line
echo “Domain to check -> $DOMAIN”
OUTPUT=curl -XPOST -d "fqdn=$DOMAIN" https://checkhost.unboundtest.com/checkhost | grep "because it is affected by" | wc -l
#curl -XPOST -d “fqdn=$DOMAIN” https://checkhost.unboundtest.com/checkhost | grep “because it is affected by” | wc -l
if [[ $OUTPUT -eq 1 ]]; then
echo “$DOMAIN should be replaced”
echo “$line” >> domains_to_renew
else
echo $OUTPUT
echo “$DOMAIN not affected”
fi
done < “$input”

Hope it can help someone.

4 Likes

Thanks @kimbo89 – I’ll give this a try !

2 Likes

Ok, apparently I’ve waited long enough and the new cert got issued.

4 Likes

We are working on increasing that rate limit now. Thank you for your patience.

5 Likes

3 posts were split to a new topic: Problem “unknown” checking certificates

maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com”!

7 Likes

We have also increased the Invalid Authorizations Per Account rate limit from 5 to 10.

9 Likes

Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.

4 Likes