[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug ] Due to the 2020.02.29 CAA Rechecking Bug , we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread wi…

maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com ”!

Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.

Service https://unboundtest.com/caaproblem.html is overcrowded. On 10 attempts, the service replied only 1 time only (Error 502, unknown: dial tcp: i/o timeout …)

Thanks for the notice. We’re deploying an upgraded version momentarily. Edit: https://checkhost.unboundtest.com/

I never received notice via email for this problem. I validated we had 45 affected certificates in the dump via account id. We have received prior emails affecting this account in the past, you may have a serious problem on your hands there.

Your script does not retrieve the correct serialnumber when the server uses SNI. You need to indicate the servername: openssl s_client -connect example.com:443 -showcerts -servername example.com </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

Thanks @kjo , that’s a good point.

Good point @kjo . I believe recent versions of openssl actually do use the connect string to set the SNI field, but I agree that older versions do not, and we should have the more robust command.

When I first heard about this problem, at about 1600 UTC, I had not received an email. But i thought to check, so I ran a script and discovered one current certificate was affected. Several hours later, when I was about to double check my script after reading kjo’s comment, I noticed that I had rec…

[image] tmcl: Please someone from Let’s Encrypt staff, if you can edit the original article, make it clear that non-receipt of an email is not equivalent to being unaffected. That's a great point. I'll get this change worked up now. FWIW, the notification mailer has completed it's run.

Revoking certain certificates on March 4

Help

Topic		Replies	Views
Questions about Renewing before TLS-ALPN-01 Revocations Help	233	52598	March 10, 2022
Sometimes it's required to break the rules - and to change these Praise	19	4023	April 6, 2020
Receiving emails saying certificate are soon to expire, but they are not Help	12	572	August 16, 2022
Too many certificates already issued for exact set of domains Server	21	6053	August 14, 2017
Confused :: expiry warning for non-expiring certificate Help	24	4062	August 17, 2016

Revoking certain certificates on March 4

Related topics