[kwlug-disc] Let's Encrypt revoking all certificates tomorrow
John Sellens
jsellens at syonex.com
Tue Mar 3 14:49:41 EST 2020
It's only for a relatively small number of certificates, IIRC under a million.
If you're affected, you will have likely received mail with details.
The fix is just to force a renewal with
certbot renew --force-renewal --cert-name=www.example.com
Check if you are affected and need to force renew:
curl -XPOST -d 'fqdn=www.example.com' https://unboundtest.com/caaproblem/checkhost
or interactively at
https://checkhost.unboundtest.com/
Easy to mitigate, but do it now. Deadline is March 4 I think.
Mikalai mentioned about multi-domain certs - in my infrastructure
I find it easier to avoid letsencrypt limits by using multi-domain
certs e.g. for 40 or 50 dev and staging sites.
Hope that's useful - cheers
John
On Tue, 2020/03/03 01:39:11PM -0500, Mikalai Birukou via kwlug-disc <kwlug-disc at kwlug.org> wrote:
| My context. I used to have multi-domain certs for TLS-ing web servers. No
| longer. Relying now on SNI checks.
|
| On 2020-03-03 1:11 p.m., CrankyOldBugger wrote:
| > https://www.cyberciti.biz/security/letsencrypt-is-revoking-certificates-on-march-4/
| > Apparently they found a bug so they're revoking all affected certificates.
More information about the kwlug-disc
mailing list