Let's Encrypt certificate revocation - panic now!

Mar. 3rd, 2020 02:36 pm
diziet: (Default)
[personal profile] diziet
Let's Encrypt have rather quietly announced (sadly, requires discourse JS!) that they are going to revoke a very large number of certificates.

These revocations will start "no earlier than" 00:00 UTC tonight (24:00 on the 3rd of March), a little over 9h from now. Affected websites etc. may stop working.

I discovered this at about lunchtime UK time today; two of my certs were affected. xenproject.org and linuxfoundation.org are listed as affected and I am trying to get in touch with the hosting provider to get it fixed. One of the domains we in the Xen Project run ourselves, with the help of the contractors who do much of our sysadmin, is affected - and those contractors (who are very competent) didn't know until I told them.

tl;dr: If you are responsible for any Let's Encrypt certificates, check it right away and maybe panic now!

edited 2020-03-03 15:35 to fix arithmetic error

Tags:
Flat | Top-Level Comments Only

Censored!

Date: 2020-03-03 07:50 pm (UTC)
From: (Anonymous)
Unfortunately, the service that checks if a certificate is affected is inaccessible in Russia "thanks" to the government attempts to block Telegram. See https://isitblockedinrussia.com/?host=https%3A%2F%2Funboundtest.com%2F

The list of affected serial numbers is still downloadable.

(no subject)

Date: 2020-03-04 01:16 am (UTC)
sweh: (Default)
From: [personal profile] sweh
Is your LetsEncrypt account associated with a valid email address? They claimed they'd sent out emails to affected people where they had an address on record.

My certs aren't impacted so I can't validate that.

BTW, you don't need Javascript to view that page; it degrades quite nicely, eg with lynx.

(no subject)

Date: 2020-03-04 11:38 am (UTC)
diziet: (Default)
From: [personal profile] diziet
No, my account was not. That wasn't the default for dehydrated. I think I have fixed my config now.


As for the JS, I was affected by an infelicity in uBlock Origin, for which I had failed to deploy the workaround everywhere.

(no subject)

Date: 2020-03-04 05:37 pm (UTC)
sweh: (Default)
From: [personal profile] sweh
Yeah, CONTACT_EMAIL isn't a mandatory field. It's been there since Dec 2015 according to the change log :-) I think I started using it Feb 2016 (at least that's the timestamp in the account registration form). Wow, 4 years... doesn't seem that long ago!

You'll now start getting emails if a cert goes over 60 days old :-)

JS

Date: 2020-03-09 01:48 pm (UTC)
From: [identity profile] mirbsd.org
Hm, interesting. I have enabled the CDN in RequestPolicy in Firefox, and the page’s still blank, but yes, it does render nicely in Lynx.

(I also just downloaded the huge list and grepped in it. Much easier than trying to figure out connections to some random site.)
Flat | Top-Level Comments Only

Profile

diziet: (Default)
Ian Jackson
My Website

May 2025

S M T W T F S
     123
45678910
11121314151617
18192021222324
25262728293031

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Top of page