2 posts were split to a new topic: Filtering notices for unaffected certificates
We will definitely be conducting an internal post-mortem and will likely share some of it publicly. We have provided an initial Incident Report with more details including some remediation items. here
I had a DNS issue (my secondaries weren’t getting NOTIFY) so I’m getting too many failed authorization requests.
How long till that goes away?
(I fixed the notify issue, and validated that it works with your staging server).
Then they should have sent out the notice 5 days ago, not waited and then give us 12 hours to fix. 4 days ago I was still at home, not on vacation in the middle of the ocean
Unfortunately, we have no way to know whether prior certs are still in use after they’ve been renewed. Renewal does not invalidate the old certificate, and some subscribers may use different certificates simultaneously on different endpoints for the same hostname (e.g. CDNs).
I just created a bash script to review if your domains are affected:
while IFS= read -r line
echo “Domain to check -> $DOMAIN”
curl -XPOST -d "fqdn=$DOMAIN" https://checkhost.unboundtest.com/checkhost | grep "because it is affected by" | wc -l
#curl -XPOST -d “fqdn=$DOMAIN” https://checkhost.unboundtest.com/checkhost | grep “because it is affected by” | wc -l
if [[ $OUTPUT -eq 1 ]]; then
echo “$DOMAIN should be replaced”
echo “$line” >> domains_to_renew
echo “$DOMAIN not affected”
done < “$input”
Hope it can help someone.
Thanks @kimbo89 – I’ll give this a try !
Ok, apparently I’ve waited long enough and the new cert got issued.
We are working on increasing that rate limit now. Thank you for your patience.
3 posts were split to a new topic: Problem “unknown” checking certificates
maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com”!
We have also increased the Invalid Authorizations Per Account rate limit from 5 to 10.
Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.
Service https://unboundtest.com/caaproblem.html is overcrowded.
On 10 attempts, the service replied only 1 time only (Error 502, unknown: dial tcp: i/o timeout …)
Thanks for the notice. We’re deploying an upgraded version momentarily. Edit: https://checkhost.unboundtest.com/
A post was split to a new topic: You may need to use a different Authenticator Plugin
A post was split to a new topic: Error running certbot renew --force-renewal
I never received notice via email for this problem. I validated we had 45 affected certificates in the dump via account id. We have received prior emails affecting this account in the past, you may have a serious problem on your hands there.
A post was split to a new topic: Error processing CAA for domain