Lets Encrypt announced mass revoking of certain certificates on March 4 2020 - here is a quick check if you are affected

Written by - 0 comments

Published on - Listed in Internet Linux TLS SSL


Let's Encrypt announced yesterday (on March 3rd 2020) that it will have to revoke certain certificates due to a CAA rechecking bug. According to LE, 2.6% of all issues certificates are effected. In bigger numbers: over 3 million certificates (3'048'289 to be precise) are affected and need to be re-issued.

The revocations will start in a couple of hours from now on and by tomorrow, March 5th at 3am UTC, the deadline is reached.

Which certificates are affected?

Let's Encrypt mentioned, that the affected subscribers were informed. However it is possible to create LE certificates without subscribing using the --register-unsafely-without-email parameter on the certbot command. This is most likely widely used in automated setups.

To actively identify whether or not a certificate is affected, one can submit a curl request on checkhost.unboundtest.com:

# curl -XPOST -d "fqdn=www.infiniroot.com" https://checkhost.unboundtest.com/checkhost
The certificate currently available on www.infiniroot.com is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is 03d59a6c6f46679a4403003093c111f54b27

Handy one liner for (central) reverse proxies

A common way to use Let's Encrypt certificates is to have them installed and issued on central reverse proxies. This makes it easy to obtain an overview of all certificates (using certbot certificates) hence creating a loop to iterate through each domain and check whether the certificate is affected by the revocation:

# for i in $(certbot certificates |grep Domains|awk '{ print $2}'); do curl -XPOST -d "fqdn=$i" https://checkhost.unboundtest.com/checkhost; done

Thanks to my colleague Pascal for this handy one liner!



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder