Hi Everyone,
Issue / What this article is about ?
Letβs Encrypt have revoked around 3 million certs last night due to a bug that they found:
[+] https://www.zdnet.com/article/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug/
If you are impacted by this , Here's a guide:
- You can confirm impact by testing their domains on https://checkhost.unboundtest.com/
- You can also check if their certificate serial matches https://letsencrypt.org/caaproblem/
To pull your cert serial number with
βopenssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :β
Please replace the "example.com" with your "domain" accordingly.
- If their current certs are bad, they will need to issue new certificates You can try using βcertbot renew --force-renewalβ or reach out to Letsencrypt
Also, providing some renewal steps, If you're using the Lego client which simplifies the process of Letβs Encrypt certificate generation.
Below is an example of a LightSail Instance with a Bitnami images and using Letβs Encrypt SSL certificates
Checking Serial Number :
# openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Serial Number
03de7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Renewing
# sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
# /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" run
2020/03/04 13:23:01 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2020/03/04 13:23:02 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801226
2020/03/04 13:23:02 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801228
2020/03/04 13:23:02 [INFO] [example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [www.example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [example.com, www.example.com] acme: Validations succeeded; requesting certificates
2020/03/04 13:23:03 [INFO] [example.com] Server responded with a certificate.
# ls -lrt /opt/bitnami/letsencrypt/certificates/
total 16
-rw------- 1 root root 288 Mar 4 13:23 example.com.key
-rw------- 1 root root 237 Mar 4 13:23 example.com.json
-rw------- 1 root root 1648 Mar 4 13:23 example.com.issuer.crt
-rw------- 1 root root 3356 Mar 4 13:23 example.com.crt
# sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old_04-03-2020
# sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old_04-03-2020
# sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old_04-03-2020
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.key /opt/bitnami/apache2/conf/server.key
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.crt /opt/bitnami/apache2/conf/server.crt
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.csr /opt/bitnami/apache2/conf/server.csr
# sudo chown root:root /opt/bitnami/apache2/conf/server*
# sudo chmod 600 /opt/bitnami/apache2/conf/server*
# sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Pulling - New serial number :
# openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Serial Number
030f1497fxxxxxxxxxxxxxxxxxxxxxxxx
Renew The Letβs Encrypt Certificate using Cron Job :
# cat /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
# crontab -l |grep -v "#"
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
Want to get more updates on this ??
-- Please reach out to letsencrypt community thread link below:
[+] Revoking certain certificates on March 4 : https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864/147
Regards,
Dinesh Rathee
[+] https://dev.to/dineshrathee12
[+] https://github.com/dineshrathee12
[+] https://www.linkedin.com/in/%E2%80%8Bdineshrathee12
Top comments (2)
I'm not sure if this would be related but coincidentally our entire VPN Cisco infrastructure went to hell today.
I would assume these are responsible =/
++ community.letsencrypt.org/t/revoki...
Add it to thread .. They might look into ;)