DEV Community

Cover image for LetsEncrypt Revoked certain certificates on March 4 - Are you Impacted or facing any SSL issues? - Check this !!
Dinesh Rathee
Dinesh Rathee

Posted on • Edited on

LetsEncrypt Revoked certain certificates on March 4 - Are you Impacted or facing any SSL issues? - Check this !!

Hi Everyone,

Issue / What this article is about ?

Let’s Encrypt have revoked around 3 million certs last night due to a bug that they found:
[+] https://www.zdnet.com/article/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug/

If you are impacted by this , Here's a guide:

To pull your cert serial number with

“openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :”
Enter fullscreen mode Exit fullscreen mode

Please replace the "example.com" with your "domain" accordingly.

  • If their current certs are bad, they will need to issue new certificates You can try using “certbot renew --force-renewal” or reach out to Letsencrypt

Also, providing some renewal steps, If you're using the Lego client which simplifies the process of Let’s Encrypt certificate generation.

[+] https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client

Below is an example of a LightSail Instance with a Bitnami images and using Let’s Encrypt SSL certificates

Checking Serial Number :

#  openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
        Serial Number
            03de7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Renewing

#  sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
#  /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" run
2020/03/04 13:23:01 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2020/03/04 13:23:02 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801226
2020/03/04 13:23:02 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801228
2020/03/04 13:23:02 [INFO] [example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [www.example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [example.com, www.example.com] acme: Validations succeeded; requesting certificates
2020/03/04 13:23:03 [INFO] [example.com] Server responded with a certificate.
#  ls -lrt  /opt/bitnami/letsencrypt/certificates/
total 16
-rw------- 1 root root  288 Mar  4 13:23 example.com.key
-rw------- 1 root root  237 Mar  4 13:23 example.com.json
-rw------- 1 root root 1648 Mar  4 13:23 example.com.issuer.crt
-rw------- 1 root root 3356 Mar  4 13:23 example.com.crt
#  sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old_04-03-2020
#  sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old_04-03-2020
#  sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old_04-03-2020

#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.key /opt/bitnami/apache2/conf/server.key
#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.crt /opt/bitnami/apache2/conf/server.crt
#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.csr /opt/bitnami/apache2/conf/server.csr
#  sudo chown root:root /opt/bitnami/apache2/conf/server*

#  sudo chmod 600 /opt/bitnami/apache2/conf/server*

#  sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql  started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Enter fullscreen mode Exit fullscreen mode

Pulling - New serial number :

#  openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
        Serial Number
            030f1497fxxxxxxxxxxxxxxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Renew The Let’s Encrypt Certificate using Cron Job :

# cat /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache


sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh


# crontab -l |grep -v "#"
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
Enter fullscreen mode Exit fullscreen mode

Want to get more updates on this ??

-- Please reach out to letsencrypt community thread link below:

[+] Revoking certain certificates on March 4 : https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864/147

Regards,
Dinesh Rathee
[+] https://dev.to/dineshrathee12
[+] https://github.com/dineshrathee12
[+] https://www.linkedin.com/in/%E2%80%8Bdineshrathee12

Top comments (2)

Collapse
 
skyandsand profile image
Chris C

I'm not sure if this would be related but coincidentally our entire VPN Cisco infrastructure went to hell today.

I would assume these are responsible =/

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

++ community.letsencrypt.org/t/revoki...

Add it to thread .. They might look into ;)