Let's Encrypt announced yesterday (on March 3rd 2020) that it will have to revoke certain certificates due to a CAA rechecking bug. According to LE, 2.6% of all issues certificates are effected. In bigger numbers: over 3 million certificates (3'048'289 to be precise) are affected and need to be re-issued.
The revocations will start in a couple of hours from now on and by tomorrow, March 5th at 3am UTC, the deadline is reached.
Let's Encrypt mentioned, that the affected subscribers were informed. However it is possible to create LE certificates without subscribing using the --register-unsafely-without-email parameter on the certbot command. This is most likely widely used in automated setups.
To actively identify whether or not a certificate is affected, one can submit a curl request on checkhost.unboundtest.com:
# curl -XPOST -d "fqdn=www.infiniroot.com" https://checkhost.unboundtest.com/checkhost
The certificate currently available on www.infiniroot.com is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is 03d59a6c6f46679a4403003093c111f54b27
A common way to use Let's Encrypt certificates is to have them installed and issued on central reverse proxies. This makes it easy to obtain an overview of all certificates (using certbot certificates) hence creating a loop to iterate through each domain and check whether the certificate is affected by the revocation:
# for i in $(certbot certificates |grep Domains|awk '{ print $2}'); do curl -XPOST -d "fqdn=$i" https://checkhost.unboundtest.com/checkhost; done
Thanks to my colleague Pascal for this handy one liner!
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder