Well this isn’t good. The free SSL certificate provider Let’s Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let’s Encrypt uses. Here’s the key points from the FAQ that I linked to. Starting with the number of certificates affected:
2.6%. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names.
And here’s when the revocation will take place:
In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread.
And finally, here’s how to tell if you’re affected:
Here is an online tool that will show you: https://checkhost.unboundtest.com/ 9.4k
Or, on a Linux/BSD-like system, this command will show you example.com‘s current certificate serial number:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
You can see the list of all affected serial numbers at: https://letsencrypt.org/caaproblem/
To be clear, this is not trivial as if you don’t take action, whatever uses an affected certificate will either stop working or not work properly. Thus if you use certificates from this provider, you need to check to see if they are affected. And if they are, you need to take action. Thus if that’s you, I would read the FAQ and go forward from here.
Like this:
Like Loading...
Related
This entry was posted on March 4, 2020 at 2:09 pm and is filed under Commentary with tags Let's Encrypt. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Over Three Million Certificates From Let’s Encrypt Need To Be Revoked Due To Software Bug
Well this isn’t good. The free SSL certificate provider Let’s Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let’s Encrypt uses. Here’s the key points from the FAQ that I linked to. Starting with the number of certificates affected:
2.6%. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names.
And here’s when the revocation will take place:
In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread.
And finally, here’s how to tell if you’re affected:
Here is an online tool that will show you: https://checkhost.unboundtest.com/ 9.4k
Or, on a Linux/BSD-like system, this command will show you
example.com‘s current certificate serial number:openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :You can see the list of all affected serial numbers at: https://letsencrypt.org/caaproblem/
To be clear, this is not trivial as if you don’t take action, whatever uses an affected certificate will either stop working or not work properly. Thus if you use certificates from this provider, you need to check to see if they are affected. And if they are, you need to take action. Thus if that’s you, I would read the FAQ and go forward from here.
Share this:
Like this:
Related
This entry was posted on March 4, 2020 at 2:09 pm and is filed under Commentary with tags Let's Encrypt. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.