Let's Encrypt will revoke 3 million certificates on March 4 2020

ciao70

Well-Known Member
Nov 3, 2006
75
11
158
Hello,

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident




 
  • Like
Reactions: cPanelLauren

ciao70

Well-Known Member
Nov 3, 2006
75
11
158
Incident Status

Security Issue

[Identified] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke 2.6% of active Let’s Encrypt TLS/SSL certificates. We are in the process of notifying some Let's Encrypt users that their certificates will be revoked on 04 March 2020. Updates are available on our community forum community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864


If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool at https://checkhost.unboundtest.com/
 
  • Like
Reactions: cPanelLauren

panayot

Well-Known Member
Nov 18, 2004
127
0
166
I just received an email from Let's Encrypt about revocation of a certificate tomorrow. I am running an older version of cpanel (76) and one of the domains there is affected. I am not sure if this is an issue with all cpanel servers. Let's Encrypt are revoking 2.6% of all of their certificates (3 million).

Anyone know how to force cpanel to renew an AutoSSL certificate?

Here is the email that I got:
===========================================
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you're not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.

If you are using Certbot, the command to renew is:

certbot renew --force-renewal

If you need help, please visit our community support forum:
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Please search thoroughly for a solution before you post a new question. Let's
Encrypt staff will help our community try to answer unresolved questions as
quickly as possible.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
10,088
877
313
Houston
I combined the two threads here in relation to this issue.

In reference to the @ciao70's initial post and Let's Encrypt's announcements for certificate revocation, there are some things to be aware of:


For cPanel & WHM users using the Let's Encrypt Provider for AutoSSL

  • AutoSSL runs daily during maintenance and will detect certificates that have been revoked and reissue the certificates

  • If your certificate is affected and your AutoSSL run already occurred (update for the night has already happened) you can manually run AutoSSL using the instructions to force an AutoSSL run below

If you'd like to get a new certificate now you can do the following:

  • From WHM: go to WHM>>SSL/TLS>>Manage SSL Hosts -> Delete the affected certificate

  • From cPanel: go to cPanel>>Security>>SSL/TLS -> Manage SSL Sites -> Delete the affected certificate

  • From CLI: whmapi1 delete_ssl_vhost host=example.com

  • To force an AutoSSL run:
    • Code:
      /usr/local/cpanel/bin/autossl_check --all
    • From WHM: go to WHM > SSL/TLS > Manage AutoSSL and select 'Run AutoSSL For All Users'.

    • From cPanel: go to cPanel>>Security>>SSL/TLS Status -> Run AutoSSL

If you're experiencing issues after running the new AutoSSL check, please let us know and we'll be happy to help.
 
Last edited: