Revoking certain certificates on March 4

Aranjedeath · March 3, 2020, 4:19pm

Is LE going to publish their after-incident summary publicly?

I’m excited to hear if there will be any lessons learned for your processes

jsha · March 3, 2020, 6:23pm

2 posts were split to a new topic: Filtering notices for unaffected certificates

jillian · March 3, 2020, 4:27pm

We will definitely be conducting an internal post-mortem and will likely share some of it publicly. We have provided an initial Incident Report with more details including some remediation items. here

lrosenman · March 3, 2020, 4:31pm

I had a DNS issue (my secondaries weren’t getting NOTIFY) so I’m getting too many failed authorization requests.

How long till that goes away?

(I fixed the notify issue, and validated that it works with your staging server).

GrnEyedDvl · March 3, 2020, 4:38pm

Then they should have sent out the notice 5 days ago, not waited and then give us 12 hours to fix. 4 days ago I was still at home, not on vacation in the middle of the ocean

JamesLE · March 3, 2020, 4:38pm

Unfortunately, we have no way to know whether prior certs are still in use after they’ve been renewed. Renewal does not invalidate the old certificate, and some subscribers may use different certificates simultaneously on different endpoints for the same hostname (e.g. CDNs).

kimbo89 · March 3, 2020, 4:39pm

I just created a bash script to review if your domains are affected:

(domains_to_review.txt)

b2b.mydomain.com
b2c.mydomain.com

(run_check.sh)

input="./domains_to_review.txt"
while IFS= read -r line
do
DOMAIN=$line
echo "Domain to check -> $DOMAIN"
OUTPUT=curl -XPOST -d "fqdn=$DOMAIN" https://checkhost.unboundtest.com/checkhost | grep "because it is affected by" | wc -l
#curl -XPOST -d "fqdn=$DOMAIN" https://checkhost.unboundtest.com/checkhost | grep "because it is affected by" | wc -l
if [[ $OUTPUT -eq 1 ]]; then
echo "$DOMAIN should be replaced"
echo "$line" >> domains_to_renew
else
echo $OUTPUT
echo "$DOMAIN not affected"
fi
done < "$input"

Hope it can help someone.

markengelhardt · March 3, 2020, 4:50pm

Thanks @kimbo89 – I’ll give this a try !

lrosenman · March 3, 2020, 4:50pm

Ok, apparently I’ve waited long enough and the new cert got issued.

jillian · March 3, 2020, 4:52pm

We are working on increasing that rate limit now. Thank you for your patience.

jsha · March 3, 2020, 5:17pm

3 posts were split to a new topic: Problem “unknown” checking certificates

aless · March 3, 2020, 5:04pm

maybe someone will find it obvious, but please DON’T RENEW all your certificates with “certbot renew --force-renewal” but only the affected ones, with “certbot certonly --force-renewal -d mydomain.com”!

jillian · March 3, 2020, 5:13pm

We have also increased the Invalid Authorizations Per Account rate limit from 5 to 10.

jillian · March 3, 2020, 5:31pm

Please search the community forum to see if this question has been asked before. If it has not, open a new thread and and answer the template questions so we can help you quickly.

tristanbes · March 3, 2020, 5:37pm

Service https://unboundtest.com/caaproblem.html is overcrowded.

On 10 attempts, the service replied only 1 time only (Error 502, unknown: dial tcp: i/o timeout …)

jsha · March 3, 2020, 5:39pm

Thanks for the notice. We’re deploying an upgraded version momentarily. Edit: https://checkhost.unboundtest.com/

ezekiel · March 3, 2020, 6:18pm

A post was split to a new topic: You may need to use a different Authenticator Plugin

Phil · March 3, 2020, 6:18pm

https://letsencrypt.org/caaproblem now has a link to a more efficient scanner and also points at the beefier https://checkhost.unboundtest.com server.

jsha · March 3, 2020, 6:31pm

A post was split to a new topic: Error running certbot renew --force-renewal

Omeryl · March 3, 2020, 6:39pm

I never received notice via email for this problem. I validated we had 45 affected certificates in the dump via account id. We have received prior emails affecting this account in the past, you may have a serious problem on your hands there.