This is worth reading if you use Let’s Encrypt, 3 million certs are going to be revoked tomorrow:
I just did some zgrep's on the 316M TGZ that contains the list of affected certs and Webarchitects have a significant number that will be revoked tomorrow, I’m going to try to update them all tonight, but I expect I’ll miss a few, this could well hit others too.
Thanks.
We spotted this and we got one email from them about one of our domains. Have removed a couple of details:
Starting Feb. 19, 2020, Let's Encrypt began making multiple domain validation
requests from diverse network vantage points. More info here:
https://community.letsencrypt.org/t/acme-v1-v2-validating-challenges-from-multiple-network-vantage-points/112253
We are excited to be able to turn on this feature with little to no
interference with your integration. We expect this feature to affect less than
1% of all domain validations from the Let's Encrypt certificate authority.
That's better security, by default, for you and your customers.
Your ACME account ID ******** may have some errors and failed validations
due to the multiple vantage point validation feature. We suggest you monitor
your implementation when the feature is turned on and make any fixes necessary.
In case you're having trouble locating your affected system(s): your ACME
account recently requested a certificate on 2020-02-07 for:
foobarr.org
The best way to test compatibility for this feature is to perform test
issuances in our staging environment where the new requirement is already
enabled: https://letsencrypt.org/docs/staging-environment/
Exception:
If you need extra time to work on getting your integration ready for multiple
vantage point validation, we will have an exception list available through June
1, 2020: https://forms.gle/9QN7dxALJVAoRjMKA
This exception list is temporary. After June 1, 2020, you will be using the
multiple vantage point feature and may experience increased domain validation
failure rates unless you take action to ensure compatibility.
Getting Help:
Our expert community, including Let's Encrypt staff and many client developers,
monitor our community forum and are available to help if you get stuck.
https://community.letsencrypt.org/
The best way to keep up-to-date on this new feature (and all API-related Let's
Encrypt announcements) is to subscribe to our API announcements by clicking the
bell in the top right corner of this page:
https://community.letsencrypt.org/c/api-announcements/
Best,
The Let's Encrypt Team
Hope that helps!
We’ve done ours, good that LE have revoked the buggy certs, bit of a nuisance though!
Have they actually revoked the certs yet?
Here is a match on one of our development servers:
zgrep 04b1370d0e4b2363f63392bd51a71be720db caa-rechecking-incident-affected-serials.txt.gz
serial 04b1370d0e4b2363f63392bd51a71be720db 70346509 cfe74f9b76a91f8108be642fa064f3d36d5ab9e48eb291af38e7a44f23628177 names: [cloud.wsh.webarchitects.org.uk nextcloud.wsh.webarchitects.org.uk www.nextcloud.wsh.webarchitects.org.uk] missing CAA checking results for cloud.wsh.webarchitects.org.uk at 2020-02-25 14:37:54.161482074 +0000 UTC
This cert hasn’t been replaced (in order that I could test the revocation…) and it is still marked as not revoked:
So perhaps they haven’t started doing it yet, they said they would from 00:00 UTC today…
Ah, revocation has been delayed, we have until 8pm tonight:
It appears that certs that should have been revoked haven’t been, for example test nextcloud.wsh.webarchitects.org.uk using the online testing tool, which reports:
The certificate currently available on nextcloud.wsh.webarchitects.org.uk needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 04b1370d0e4b2363f63392bd51a71be720db. See your ACME client documentation for instructions on how to renew a certificate.
However at SSLLabs it is reported as not revoked, you can check it is the testing the same cert using the serial number above.
Furthermore I’m not getting any errors with the cert in Firefox, I’m not sure what is going on here — as far as I can see the cert hasn’t been revoked.
I believe they may be doing the revoking in batches.
I’ll try and find out from some people in the SSL world and report back if I hey anything
So, in the end, they decided to only revoke 1,706,505 replaced certs and a small number which had “CAA records that forbid issuance by Let’s Encrypt”:
So that explains why the ones I didn’t replace in order to test the effect of the revocation haven’t been revoked…