Revoking certain certificates on March 4

We believe the Web.com (Network Solutions) issue is mostly resolved, and affected subscribers should be seeing more success getting new certificates:

5 Likes

Weā€™re in the same boat as @kf6nux. We have thousands of customer domains on WorldNic/Netsol and spread across our certs so those certs will keep failing.

2 Likes

We saw the worldnic issue get a lot better about an hour ago and @JamesLE posted that itā€™s either fixed or mostly fixed here: DNS failures (SERVFAIL, timeout) for domains using Network Solutions/Web.com/worldnic.com nameservers

7 Likes

In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread. Thank you all very much for your patience, understanding, and help as we work through this issue.

9 Likes

I have updated the top level FAQ to reflect this information

5 Likes

As of 06:45 UTC 04/03/2020 no email notification.
Saw an article in ā€œThe registerā€ and took 30 seconds to renew a certificate.

More good luck than good management!!
Should have checked before renewing, I suppose. Checked after and it seems OK now

1 Like

A post was split to a new topic: HTTPSConnectionPool(host=ā€˜acme-v02.api.letsencrypt.orgā€™, port=443): Read timed out

A post was split to a new topic: Certificate renew with Kubernetes cert-manager

A post was split to a new topic: How to reissue cert for QNAP NAS

Bit of an odd one, the email I received shows the domain and serial number of the affected domains but searching the caa-rechecking-incident-affected-serials.txt.gz the serial number isnā€™t there. So do I still need to re-issue the certificate?

1 Like

@RobC-CTL Can you post the specifics?

Are you sure it isnā€™t just a syntax issue or something ā€“ some software displays serial numbers with colons and some doesnā€™t, and a simple grep wonā€™t match them.

2 Likes

Hi @mnordhoff

The email that I received:

Your affected certificate(s), listed by serial number and domain names:

038347490d86e1777e3b7a2382a31e3f90f9: coriniumtech.com www.coriniumtech.com

However searching the gz file for either the domain or serial doesnā€™t return any results. Iā€™ve also checked the domain https://checkhost.unboundtest.com and it reports as OK. The certificate is due to renew on the 7th March.

Cheers
Rob

1 Like
$ zgrep -n coriniumtech.com caa-rechecking-incident-affected-serials.txt.gz
2069026:serial 038347490d86e1777e3b7a2382a31e3f90f9 53724289 bc0cd81bd98d29327120078607e585e3afa83da5d08584cd89edcc498f1de4f6 names: [coriniumtech.com www.coriniumtech.com] missing CAA checking results for www.coriniumtech.com at 2019-12-08 14:18:52.977438985 +0000 UTC
3 Likes

Hi @RobC-CTL

that value is in the file:

serial 038347490d86e1777e3b7a2382a31e3f90f9 53724289 bc0cd81bd98d29327120078607e585e3afa83da5d08584cd89edcc498f1de4f6 names: [coriniumtech.com www.coriniumtech.com] missing CAA checking results for www.coriniumtech.com at 2019-12-08 14:18:52.977438985 +0000 UTC

But the certificate is old, so you have already renewed it. So

https://checkhost.unboundtest.com/

doesn't show a result.

5 Likes

#HugOps@LE :heart:
Thanks for the additional time to get replacement certs.
Thanks @JamesLE et al (including Network Solutions) for getting resolution to that problem which was blocking/slowing getting replacement certs for hostnames with worldnic NS.
We were able to get all ~1000 of our affected certs reissued prior to revocation. :grinning:

7 Likes

Our CDN (Akamai) is still overloaded :cold_face:
The renewal didnā€™t progress for 14 hours !

I opened a ticket with their support team, but Iā€™m really worried it may not renew before revocation.

4 Likes

Your options seem to be to trust your vendor to get it resolved or have a contingency plan where you get your own cert (from LE or any other CA) and know how to deploy it (to Akamai or another CDN).

2 Likes

Iā€™m still working through issues renewing my cert which I have a separate thread on already.

In case iā€™m unable to renew my cert before it gets revoked id like to know what type of effect using a revoked cer will have on my email server and the usersā€™ experience? Will send/receive communications continue but with warnings or will it just stop working altogether ?

This is the first time that Iā€™m unsuccessful to renew the certs and would like to be able to warn the users until it gets fixed.

1 Like

@belikewata

Checking validity is done by OCSP, and as these responses are valid for 4/5 days, they may remain in the cache of your clients, or if OCSP stapling is enabled, your server.

So itā€™s quite unpredictable at which point users will see an error: somewhere between 0 and 4 days later.

At least in the case of Thunderbird, youā€™ll get a message like the one in the screenshot here: https://support.mozilla.org/en-US/questions/1041573

By the way the status page now says that revocation will start at 20:00 UTC.

3 Likes

I'm getting this error when running the script. Not sure what it means exactly as i'm not proficient in bash
./run_check.sh: line 15: syntax error near unexpected token done' ./run_check.sh: line 15: done < "$input"

1 Like