Revoking certain certificates on March 4

In addition to this rate limit override, we just deployed another global rate limit override from 300/3h to 10000/3h for newOrdersPerAccount.

4 Likes

A post was split to a new topic: Baseline Requirements revocation requirement

I would be great if you could mention this in your blog. When I got the mail it looked like some phishing attempt, especially because the Let’s Encrypt homepage doesn’t mention this at all.

4 Likes

2 posts were split to a new topic: Public certificate hostnames

Is LE going to publish their after-incident summary publicly?

I’m excited to hear if there will be any lessons learned for your processes :slight_smile:

2 Likes

2 posts were split to a new topic: Filtering notices for unaffected certificates

We will definitely be conducting an internal post-mortem and will likely share some of it publicly. We have provided an initial Incident Report with more details including some remediation items. here

5 Likes

I had a DNS issue (my secondaries weren’t getting NOTIFY) so I’m getting too many failed authorization requests.

How long till that goes away?

(I fixed the notify issue, and validated that it works with your staging server).

Then they should have sent out the notice 5 days ago, not waited and then give us 12 hours to fix. 4 days ago I was still at home, not on vacation in the middle of the ocean

1 Like

Unfortunately, we have no way to know whether prior certs are still in use after they’ve been renewed. Renewal does not invalidate the old certificate, and some subscribers may use different certificates simultaneously on different endpoints for the same hostname (e.g. CDNs).

3 Likes

I just created a bash script to review if your domains are affected:

(domains_to_review.txt)

b2b.mydomain.com
b2c.mydomain.com

(run_check.sh)

input="./domains_to_review.txt"
while IFS= read -r line
do
DOMAIN=$line
echo “Domain to check -> $DOMAIN”
OUTPUT=curl -XPOST -d "fqdn=$DOMAIN" https://checkhost.unboundtest.com/checkhost | grep "because it is affected by" | wc -l
#curl -XPOST -d “fqdn=$DOMAIN” https://checkhost.unboundtest.com/checkhost | grep “because it is affected by” | wc -l
if [[ $OUTPUT -eq 1 ]]; then
echo “$DOMAIN should be replaced”
echo “$line” >> domains_to_renew
else
echo $OUTPUT
echo “$DOMAIN not affected”
fi
done < “$input”

Hope it can help someone.

4 Likes

Thanks @kimbo89 – I’ll give this a try !

2 Likes

Ok, apparently I’ve waited long enough and the new cert got issued.

4 Likes

We are working on increasing that rate limit now. Thank you for your patience.

5 Likes

3 posts were split to a new topic: Problem “unknown” checking certificates

maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com”!

7 Likes

We have also increased the Invalid Authorizations Per Account rate limit from 5 to 10.

9 Likes

Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.

4 Likes

Service https://unboundtest.com/caaproblem.html is overcrowded.

On 10 attempts, the service replied only 1 time only (Error 502, unknown: dial tcp: i/o timeout …)

5 Likes

Thanks for the notice. We’re deploying an upgraded version momentarily. Edit: https://checkhost.unboundtest.com/

8 Likes