Let's Encrypt revoking certificates

Just a quick head up for people using Let’s Encrypt

Due to the 2020.02.29 CAA Rechecking Bug , we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information.

This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, please make a new post to the “Help” category, filling in the questions in the template that appears as you compose your post.

Q: How many certificates are affected?
A: 2.6% . That is 3,048,289 currently-valid certificates are affected, out of ~116 million
overall active Let’s Encrypt certificates. Of the affected certificates, about 1
million are duplicates of other affected certificates, in the sense of covering
the same set of domain names.

Because of the way this bug operated, the most commonly affected certificates
were those that are reissued very frequently, which is why so many affected
certificates are duplicates.

Q: When will the revocations start?
A: In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread. Thank you all very much for your patience, understanding, and help as we work through this issue.

Q: How do I know if I’m using an affected certificate?
A: Here is an online tool that will show you: https://checkhost.unboundtest.com/

Or, on a Linux/BSD-like system, this command will show you example.com 's current certificate serial number:

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

You can see the list of all affected serial numbers at: https://letsencrypt.org/caaproblem/

Q: I received the email telling me I should renew my certificate, however, the online testing tool isn’t indicating my cert needs replacing.
A: Even if you received an email, it’s possible that the affected certificates have been replaced by newer certs not affected by the bug. (Either due to being issued in the last few days since it was fixed, or simply by not meeting the specific timing criteria necessary for the bug to trigger.) In that case, it’s not necessary to renew them again. You can use the checking tool at https://checkhost.unboundtest.com/ to verify if the certificate you’re currently using needs renewal, or verify that the serial number of the cert you’re currently using is present in the list of affected certs at https://letsencrypt.org/caaproblem/ .

Q: I get this error when trying to renew: "urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains"
A: This usually means your client has been renewing every day, which means you likely have a newer, unaffected certificate already. Check your hostname with https://checkhost.unboundtest.com/ .

We’ve also increased the duplicate certificate limit so fewer people will get this error.

If you’d like to suggest more questions or corrections for this post, please make a new post to the “Site Feedback” category.

Thank you all very much for your patience, understanding, and help as we work through this issue.

Just to mention, today I added functionality to check if an existing cert has been revoked to the upcoming version of sympl-ssl, so if this happens in the future with Let’s Encrypt, Sympl will automatically get a new certificate.

You can check if you’re affected via https://checkhost.unboundtest.com/, and use sympl-ssl --verbose --force example.com to get a new certificate, but it’s also worth adding a valid email address to /srv/example.com/config/ssl/letsencrypt/letsencrypt/email for any new domains so that Let’s Encrypt can contact you if this happens in the future, or you have an existing cert.

Well done, an excellent update.

I read somewhere that they’d decided to cancel this revocation anyway…