• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Let's Encrypt - CAA Rechecking Bug - Revoking certificates on March 4

futureweb

Regular Pleskian
Hey there,

some of you may already know about the "CAA Rechecking Bug" which affects lot's of Let's Encrypt Certs (all Certs for Domains with a CAA DNS Record are affected) ... all those Certs will be revoked tomorrow, 4. March ...
All of the affected Certs need to be re-issued ... otherwise the Website will throw SSL Error starting tomorrow ...

Infos:

Also a Question ... is there a possibility to tell Plesk to Re-Issue ALL LE Certs? Panel Side and also Customer Certs ... ?

thx, bye from snowy Austria
Andreas Schnederle-Wagner
 
911 !!!!!

plesk please provide a solution to this ASAP. how do we trigger a mass update for all certs.

thanks
 
Please note: You won't have to renew all of your certificates. Only those that are affected. Renewing ALL of your certificates on the server will probably let you run into the rate-limits of Let's Encrypt.

Let's Encrypt has provided a list of all 3 million certificates that are affected.

So you should attack this issue with some structured method:
1) Find all affected certificates
2) Renew the affected certificates

I suggest you read the thread here first, there are several suggestions how to do it:
Revoking certain certificates on March 4

FYI: I checked all our servers with the following (very basic) script:
Code:
mkdir /root/letsencrypt-fix
cd /root/letsencrypt-fix
wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz
gzip -d caa-rechecking-incident-affected-serials.txt.gz
MYSQL_PWD=`cat /etc/psa/.psa.shadow`
CERTDIR=/usr/local/psa/var/certificates
CERTS=$(/usr/bin/mysql -u admin -p$MYSQL_PWD psa -sNe "SELECT cert_file from certificates where name like 'Lets Encrypt %'")
for certfile in $CERTS ; do SERIAL=`/usr/bin/openssl x509 -text -noout -in $CERTDIR/$certfile | grep -A 1 Serial\ Number | tr -d : | grep -v "Serial Number" | sed 's/ //g'` ; grep $SERIAL caa-rechecking-incident-affected-serials.txt ; done

This gave me a list of all matching serials. In the end I only had 13 affected customers so I did not write a script to renew those certificates, I simply did it by hand.

You could script it using plesk bin extension --exec letsencrypt cli.php, as explained here: plesk/letsencrypt-plesk
 
+1 for the script. Did work well.
And yes, I ended up doing the re-issuing by hand as well.

As much as I love "LetsEncrypt" this deadline was nearly impossible to match. I got my email an hour ago - so I had a few hours only.
 
This issue must be resolved...anyway +1 for the script.





Code:
mkdir /root/letsencrypt-fix
cd /root/letsencrypt-fix
wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz
gzip -d caa-rechecking-incident-affected-serials.txt.gz
MYSQL_PWD=`cat /etc/psa/.psa.shadow`
CERTDIR=/usr/local/psa/var/certificates
CERTS=$(/usr/bin/mysql -u admin -p$MYSQL_PWD psa -sNe "SELECT cert_file from certificates where name like 'Lets Encrypt %'")
for certfile in $CERTS ; do SERIAL=`/usr/bin/openssl x509 -text -noout -in $CERTDIR/$certfile | grep -A 1 Serial\ Number | tr -d : | grep -v "Serial Number" | sed 's/ //g'` ; grep $SERIAL caa-rechecking-incident-affected-serials.txt ; done

--
JavaScript foreach
 
As written in my initial post - only Certs for Domains with CAA DNS Records are affected. (Not even sure if it's all of them, would need to read deeper into the Bug)

But as we strongly use CAA Records, for Example we had one Server which had a few thousand Certs to be renewed ... good luck doing this manually ... ;-)

For the Rate Limits - no problem as Limits have been risen to big Numbers (after I ran against newOrdersPerAccount Limit on the above mentiones Server ...) - LE Support was great at resposing to this ... no 30 Minutes later they have risen the Limits ...

Anyway - all our Certs have been renewed bevore the revoke, so for us the desaster is averted ... hope this Thread may help others ... ;-)

bye from snowy Austria
Andreas
 
Last edited:
Back
Top