Yesterday Let’s Encrypt announced that today, March 4, they will revoke 3mln certificates.
See details here:
Revoking certain certificates on March 4
In short: there was a bug in Let’s Encrypt service. If a certificate is affected by that bug, it will be revoked by Let’s Encrypt; it means that site visitors will receive security error. The revoking process will start today, March 4, at 20:00 UTC. So, according to that post, users have to check and renew the affected certificates manually.
Let’s Encrypt have sent an email notification for the owners of the affected certificates, but if there are a lot of domains, manual checking and manual renewal don’t look convenient and effective
Also, the email notification can be easily missed.
That’s why we’ve released an urgent update for the SSL It! extension:
SSL It! - Plesk Extensions
The update should solve the issue automatically (actually, semi-automatically, see details below).
How it works:
- SSL It! already has autorenewal task which runs every hour by default
- this task goes through the domains and check the expiration date of the certificate, and, if it’s required, autorenew the certificate
- we’ve added an additional check for the domain using the LE service: Check whether a host's certificate needs replacement , so, if the certificate affected, SSL It! runs the autorenew procedure.
- if the certificate isn’t affected, SSL It! remembers that and don’t check it next time
Nuances:
- most of the affected certificates are wildcard certificates. It means if DNS isn’t powered by Plesk, a customer has to manually add (update in this case) the required info into the domain’s DNS zone. If DNS is powered by Plesk, the renewal should pass automatically.
- We don’t fix the Panel certificate. It should be renewed manually.
If smth goes wrong, it’s possible to turn off this functionality, see the changelog below.
The changelog:
Let's Encrypt has found a
bug and
revokes some of its SSL/TLS certificates on March 4. This improvement solves the issue. The SSL IT! extension will check domains as a part of the "Autorenew" feature, then will renew and replace affected Let's Encrypt certificates. Future autorenew tasks will be done as usual when SSL/TLS certificates are about to expire.
To turn off the check and replacement of Let's Encrypt certificates affected by the bug, add the following lines to the panel.ini file:
[ext-sslit]
renewLetsEncryptRevokedCertificates = false
Note that the Let’s Encrypt extension is not updated yet – this extension is quite more complex because of Plesk 12.5 and Plesk 17.0 support. We’re working on this.