PSA: LetsEncrypt revoking certain certificates on March 4, 2020

[bryanus]

Full details: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

I manually tested a few of my domains using their tool and they came back "ok", but I'm wondering what happens if they revoke an affected certificate . Will my renew job obtain a new certificate or will it simply skip it due to expiration being 30 days out? Is it better to delete all of my certificates and have all of my domains get new certificates instead? Is there a command to force a renewal regardless of expiration? TIA.

[GUI]

If you can get a full list of the domains in your system (from whatever storage backend you use), then just to surface a couple of the tools that are useful for checking these: https://checkhost.unboundtest.com/ or https://github.com/hannob/lecaa

Regarding how revoked certificates will be handled during renewals, I don't believe dehydrated will check for the revoked status during it's regular checks (https://github.com/dehydrated-io/dehydrated/blob/307eaadddfd49aeafda6984f11e6731329372cd5/dehydrated#L1326-L1344). So unfortunately, even if the certificate has been revoked, I don't believe it will automatically renew until the expiration date is within 30 days. So that means you will need to more manually deal with this if you do have any revoked certificates.

Rather than bulk deleting all your certificates (to force renewals), I would probably try to use of the above tools to determine what specific certificates are actually revoked (if any), and then only delete those (which should trigger a new renewal). Depending on how many certificates you have, if you bulk deleted all of them, you could run into rate limit issues in registering all the new ones at once, so that's why it might be safer to determine what specific certificates this issue affects.

To get a full list of the domains you have certificates for, this will depend on the storage adapter you're using, but here's some commands that might do the trick:

• For file storage: ls -1 /etc/resty-auto-ssl/storage/file/*%3Alatest | sed 's#.*/\([^/]*\)%3Alatest#\1#g'
• For redis storage: echo "KEYS '*:latest'" | redis-cli --raw -h your-redis-host | sed 's#\(.*\):latest#\1#'

[GUI]

As one further note, Let's Encrypt has delayed the revocation for certificates that have not been renewed yet: https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/3 So while this is perhaps a bit less urgent, it would still be good to check for any impacted certificates and deal with those soon.

There's not a specific time frame of when further revokes may occur, but it does sound like they'll try to deal with those later:

We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users.

[bryanus]

Thanks @GUI. DIdn't know there were tools to do bulk host checking. I have about 500 domains and none of them appear to be affected by this bug! Phew! Thanks again.