maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com”!
We have also increased the Invalid Authorizations Per Account rate limit from 5 to 10.
Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.
Service https://unboundtest.com/caaproblem.html is overcrowded.
On 10 attempts, the service replied only 1 time only (Error 502, unknown: dial tcp: i/o timeout …)
Thanks for the notice. We’re deploying an upgraded version momentarily. Edit: https://checkhost.unboundtest.com/
A post was split to a new topic: You may need to use a different Authenticator Plugin
A post was split to a new topic: Error running certbot renew --force-renewal
I never received notice via email for this problem. I validated we had 45 affected certificates in the dump via account id. We have received prior emails affecting this account in the past, you may have a serious problem on your hands there.
A post was split to a new topic: Error processing CAA for domain
Your script does not retrieve the correct serialnumber when the server uses SNI. You need to indicate the servername:
Thanks @kjo, that’s a good point.
Good point @kjo. I believe recent versions of openssl actually do use the connect string to set the SNI field, but I agree that older versions do not, and we should have the more robust command.
A post was split to a new topic: Hit rate limit renewing certificates
A post was merged into an existing topic: Hit rate limit renewing certificates
When I first heard about this problem, at about 1600 UTC, I had not received an email. But i thought to check, so I ran a script and discovered one current certificate was affected.
Several hours later, when I was about to double check my script after reading kjo’s comment, I noticed that I had received an email at about 2000 UTC.
I suppose the emails are still being sent out, but there are rumors going around that if you don’t get an email, you aren’t affected. Please someone from Let’s Encrypt staff, if you can edit the original article, make it clear that non-receipt of an email is not equivalent to being unaffected. Even if you’ve verified that Let’s Encrypt has your contact details and the address doesn’t get sent to spam, the email might just still be on its way.
That’s a great point. I’ll get this change worked up now. FWIW, the notification mailer has completed it’s run.
I’m not really sure if https://checkhost.unboundtest.com/ is working correctly, for one of my affected domains it’s showing
The certificate currently available on [name] is OK ... but the file downloaded from https://letsencrypt.org/caaproblem/ is still showing
missing CAA checking results for [name] at [datetime] and the certificate was last renewed almost a month ago (until now).
Edit: looks like the certificate was actually renewed a day after or so so it’s all good I guess
@vedranl Would you mind letting me know what the domains/certs in question are so I can check?
Looks like I can’t send private messages, any way to send this in private?