Let's Encrypt will revoke 3 million certificates on March 4 2020

[ciao70]

Hello,

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident - Let's Encrypt

This page hosts the list of affected serial numbers and a hostname checking utility for the incident reported at https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591. We have sent notification emails to affected subscribers who have registered an email address. If you need to...

letsencrypt.org

2020.02.29 CAA Rechecking Bug

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation...

community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...

community.letsencrypt.org

 

[ciao70]

Incident Status

Security Issue

[Identified] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke 2.6% of active Let’s Encrypt TLS/SSL certificates. We are in the process of notifying some Let's Encrypt users that their certificates will be revoked on 04 March 2020. Updates are available on our community forum community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864


If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool at https://checkhost.unboundtest.com/

 

[panayot]

I just received an email from Let's Encrypt about revocation of a certificate tomorrow. I am running an older version of cpanel (76) and one of the domains there is affected. I am not sure if this is an issue with all cpanel servers. Let's Encrypt are revoking 2.6% of all of their certificates (3 million).

Anyone know how to force cpanel to renew an AutoSSL certificate?

Here is the email that I got:
===========================================
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you're not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.

If you are using Certbot, the command to renew is:

certbot renew --force-renewal

If you need help, please visit our community support forum:
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Please search thoroughly for a solution before you post a new question. Let's
Encrypt staff will help our community try to answer unresolved questions as
quickly as possible.

 

[ciao70]

Hello,

New Thread - Download affected certificate serials for 2020.02.29 CAA Rechecking Incident

Hello, Download affected certificate serials for 2020.02.29 CAA Rechecking Incident https://letsencrypt.org/caaproblem/ https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

forums.cpanel.net

 

[cPanelLauren]

I combined the two threads here in relation to this issue.

In reference to the @ciao70's initial post and Let's Encrypt's announcements for certificate revocation, there are some things to be aware of:

• Let's Encrypt announced on their forum that the earliest they will begin revoking the affected certificates March 4 2020 at 00:00 UTC (12am)
  
  
• If your certificate is affected you should have received an email from them.
  
  
• You can see if you are affected by this by using the linked test Check whether a host's certificate needs replacement or by running the following:

  openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

  • The list of affected serial numbers is here: Download affected certificate serials for 2020.02.29 CAA Rechecking Incident - Let's Encrypt - Free SSL/TLS Certificates in the link to download the list here: caa-rechecking-incident-affected-serials.txt.gz
    
    
  • If you have a large number of domains they're recommending using the tool here: hannob/lecaa

For cPanel & WHM users using the Let's Encrypt Provider for AutoSSL

• AutoSSL runs daily during maintenance and will detect certificates that have been revoked and reissue the certificates
  
  
• If your certificate is affected and your AutoSSL run already occurred (update for the night has already happened) you can manually run AutoSSL using the instructions to force an AutoSSL run below

If you'd like to get a new certificate now you can do the following:

• From WHM: go to WHM>>SSL/TLS>>Manage SSL Hosts -> Delete the affected certificate
  
  
• From cPanel: go to cPanel>>Security>>SSL/TLS -> Manage SSL Sites -> Delete the affected certificate
  
  
• From CLI: whmapi1 delete_ssl_vhost host=example.com
  
  
• To force an AutoSSL run:

  • /usr/local/cpanel/bin/autossl_check --all

  • From WHM: go to WHM > SSL/TLS > Manage AutoSSL and select 'Run AutoSSL For All Users'.
    
    
  • From cPanel: go to cPanel>>Security>>SSL/TLS Status -> Run AutoSSL

If you're experiencing issues after running the new AutoSSL check, please let us know and we'll be happy to help.