Hi Everyone,
Issue / What this article is about ?
Let’s Encrypt have revoked around 3 million certs last night due to a bug that they found:
[+] https://www.zdnet.com/article/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug/
If you are impacted by this , Here's a guide:
- You can confirm impact by testing their domains on https://checkhost.unboundtest.com/
- You can also check if their certificate serial matches https://letsencrypt.org/caaproblem/
To pull your cert serial number with
“openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :”
Please replace the "example.com" with your "domain" accordingly.
- If their current certs are bad, they will need to issue new certificates You can try using “certbot renew --force-renewal” or reach out to Letsencrypt
Also, providing some renewal steps, If you're using the Lego client which simplifies the process of Let’s Encrypt certificate generation.
Below is an example of a LightSail Instance with a Bitnami images and using Let’s Encrypt SSL certificates
Checking Serial Number :
# openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Serial Number
03de7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Renewing
# sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
# /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" run
2020/03/04 13:23:01 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2020/03/04 13:23:02 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801226
2020/03/04 13:23:02 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801228
2020/03/04 13:23:02 [INFO] [example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [www.example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [example.com, www.example.com] acme: Validations succeeded; requesting certificates
2020/03/04 13:23:03 [INFO] [example.com] Server responded with a certificate.
# ls -lrt /opt/bitnami/letsencrypt/certificates/
total 16
-rw------- 1 root root 288 Mar 4 13:23 example.com.key
-rw------- 1 root root 237 Mar 4 13:23 example.com.json
-rw------- 1 root root 1648 Mar 4 13:23 example.com.issuer.crt
-rw------- 1 root root 3356 Mar 4 13:23 example.com.crt
# sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old_04-03-2020
# sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old_04-03-2020
# sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old_04-03-2020
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.key /opt/bitnami/apache2/conf/server.key
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.crt /opt/bitnami/apache2/conf/server.crt
# sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.csr /opt/bitnami/apache2/conf/server.csr
# sudo chown root:root /opt/bitnami/apache2/conf/server*
# sudo chmod 600 /opt/bitnami/apache2/conf/server*
# sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Pulling - New serial number :
# openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Serial Number
030f1497fxxxxxxxxxxxxxxxxxxxxxxxx
Renew The Let’s Encrypt Certificate using Cron Job :
# cat /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
# crontab -l |grep -v "#"
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
Want to get more updates on this ??
-- Please reach out to letsencrypt community thread link below:
[+] Revoking certain certificates on March 4 : https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864/147
Regards,
Dinesh Rathee
[+] https://dev.to/dineshrathee12
[+] https://github.com/dineshrathee12
[+] https://www.linkedin.com/in/%E2%80%8Bdineshrathee12
Oldest comments (2)
I'm not sure if this would be related but coincidentally our entire VPN Cisco infrastructure went to hell today.
I would assume these are responsible =/
++ community.letsencrypt.org/t/revoki...
Add it to thread .. They might look into ;)