• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Let's Encrypt - CAA Rechecking Bug - Revoking certificates on March 4

futureweb

futureweb

Regular Pleskian
Hey there,

some of you may already know about the "CAA Rechecking Bug" which affects lot's of Let's Encrypt Certs (all Certs for Domains with a CAA DNS Record are affected) ... all those Certs will be revoked tomorrow, 4. March ...
All of the affected Certs need to be re-issued ... otherwise the Website will throw SSL Error starting tomorrow ...

Infos:
community.letsencrypt.org

2020.02.29 CAA Rechecking Bug

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation...
community.letsencrypt.org community.letsencrypt.org
community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident - Let's Encrypt

This page hosts the list of affected serial numbers and a hostname checking utility for the incident reported at https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591. We have sent notification emails to affected subscribers who have registered an email address. If you need to...
letsencrypt.org

Also a Question ... is there a possibility to tell Plesk to Re-Issue ALL LE Certs? Panel Side and also Customer Certs ... ?

thx, bye from snowy Austria
Andreas Schnederle-Wagner
 
911 !!!!!

plesk please provide a solution to this ASAP. how do we trigger a mass update for all certs.

thanks
 
Please note: You won't have to renew all of your certificates. Only those that are affected. Renewing ALL of your certificates on the server will probably let you run into the rate-limits of Let's Encrypt.

Let's Encrypt has provided a list of all 3 million certificates that are affected.

So you should attack this issue with some structured method:
1) Find all affected certificates
2) Renew the affected certificates

I suggest you read the thread here first, there are several suggestions how to do it:
Revoking certain certificates on March 4

FYI: I checked all our servers with the following (very basic) script:
Code: 
mkdir /root/letsencrypt-fix
cd /root/letsencrypt-fix
wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz
gzip -d caa-rechecking-incident-affected-serials.txt.gz
MYSQL_PWD=`cat /etc/psa/.psa.shadow`
CERTDIR=/usr/local/psa/var/certificates
CERTS=$(/usr/bin/mysql -u admin -p$MYSQL_PWD psa -sNe "SELECT cert_file from certificates where name like 'Lets Encrypt %'")
for certfile in $CERTS ; do SERIAL=`/usr/bin/openssl x509 -text -noout -in $CERTDIR/$certfile | grep -A 1 Serial\ Number | tr -d : | grep -v "Serial Number" | sed 's/ //g'` ; grep $SERIAL caa-rechecking-incident-affected-serials.txt ; done

This gave me a list of all matching serials. In the end I only had 13 affected customers so I did not write a script to renew those certificates, I simply did it by hand.

You could script it using plesk bin extension --exec letsencrypt cli.php, as explained here: plesk/letsencrypt-plesk
 
+1 for the script. Did work well.
And yes, I ended up doing the re-issuing by hand as well.

As much as I love "LetsEncrypt" this deadline was nearly impossible to match. I got my email an hour ago - so I had a few hours only.
 
This issue must be resolved...anyway +1 for the script.





Code: 
mkdir /root/letsencrypt-fix
cd /root/letsencrypt-fix
wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz
gzip -d caa-rechecking-incident-affected-serials.txt.gz
MYSQL_PWD=`cat /etc/psa/.psa.shadow`
CERTDIR=/usr/local/psa/var/certificates
CERTS=$(/usr/bin/mysql -u admin -p$MYSQL_PWD psa -sNe "SELECT cert_file from certificates where name like 'Lets Encrypt %'")
for certfile in $CERTS ; do SERIAL=`/usr/bin/openssl x509 -text -noout -in $CERTDIR/$certfile | grep -A 1 Serial\ Number | tr -d : | grep -v "Serial Number" | sed 's/ //g'` ; grep $SERIAL caa-rechecking-incident-affected-serials.txt ; done

--
JavaScript foreach
 
As written in my initial post - only Certs for Domains with CAA DNS Records are affected. (Not even sure if it's all of them, would need to read deeper into the Bug)

But as we strongly use CAA Records, for Example we had one Server which had a few thousand Certs to be renewed ... good luck doing this manually ... ;-)

For the Rate Limits - no problem as Limits have been risen to big Numbers (after I ran against newOrdersPerAccount Limit on the above mentiones Server ...) - LE Support was great at resposing to this ... no 30 Minutes later they have risen the Limits ...

Anyway - all our Certs have been renewed bevore the revoke, so for us the desaster is averted ... hope this Thread may help others ... ;-)

bye from snowy Austria
Andreas
 
Last edited:
You must log in or register to reply here.

Similar threads

B
Question Let's Encrypt revoking 2.6% of LE certs on March 4 2020
Replies
2
Views
1K
Bobbbb
B
Epic Voyage
Resolved Force SSL Renewal For Domains
Replies
2
Views
835
Ruslan Kosolapov
Ruslan Kosolapov
ServerObserver
Issue Let's Encrypt extension can not issue or renew certs: error 400
Replies
2
Views
6K
merkwebs
M
Azurel
Resolved Let's Encrypt certificate expiration notice for domain "cdn.example.com" (and 1 more)
Replies
8
Views
3K
Azurel
Azurel
M
Resolved Migration error with Let`s Encrypt certificates
Replies
3
Views
2K
bjamal
B
Back
Top