DEV Community

Cover image for LetsEncrypt Revoked certain certificates on March 4 - Are you Impacted or facing any SSL issues? - Check this !!
Dinesh Rathee
Dinesh Rathee

Posted on • Edited on

4 1

LetsEncrypt Revoked certain certificates on March 4 - Are you Impacted or facing any SSL issues? - Check this !!

Hi Everyone,

Issue / What this article is about ?

Let’s Encrypt have revoked around 3 million certs last night due to a bug that they found:
[+] https://www.zdnet.com/article/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug/

If you are impacted by this , Here's a guide:

To pull your cert serial number with

“openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :”
Enter fullscreen mode Exit fullscreen mode

Please replace the "example.com" with your "domain" accordingly.

  • If their current certs are bad, they will need to issue new certificates You can try using “certbot renew --force-renewal” or reach out to Letsencrypt

Also, providing some renewal steps, If you're using the Lego client which simplifies the process of Let’s Encrypt certificate generation.

[+] https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-1-install-the-lego-client

Below is an example of a LightSail Instance with a Bitnami images and using Let’s Encrypt SSL certificates

Checking Serial Number :

#  openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
        Serial Number
            03de7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Renewing

#  sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
#  /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" run
2020/03/04 13:23:01 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2020/03/04 13:23:02 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801226
2020/03/04 13:23:02 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2995801228
2020/03/04 13:23:02 [INFO] [example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [www.example.com] acme: authorization already valid; skipping challenge
2020/03/04 13:23:02 [INFO] [example.com, www.example.com] acme: Validations succeeded; requesting certificates
2020/03/04 13:23:03 [INFO] [example.com] Server responded with a certificate.
#  ls -lrt  /opt/bitnami/letsencrypt/certificates/
total 16
-rw------- 1 root root  288 Mar  4 13:23 example.com.key
-rw------- 1 root root  237 Mar  4 13:23 example.com.json
-rw------- 1 root root 1648 Mar  4 13:23 example.com.issuer.crt
-rw------- 1 root root 3356 Mar  4 13:23 example.com.crt
#  sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old_04-03-2020
#  sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old_04-03-2020
#  sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old_04-03-2020

#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.key /opt/bitnami/apache2/conf/server.key
#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.crt /opt/bitnami/apache2/conf/server.crt
#  sudo ln -sf /opt/bitnami/letsencrypt/certificates/example.com.csr /opt/bitnami/apache2/conf/server.csr
#  sudo chown root:root /opt/bitnami/apache2/conf/server*

#  sudo chmod 600 /opt/bitnami/apache2/conf/server*

#  sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql  started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Enter fullscreen mode Exit fullscreen mode

Pulling - New serial number :

#  openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
        Serial Number
            030f1497fxxxxxxxxxxxxxxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Renew The Let’s Encrypt Certificate using Cron Job :

# cat /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="example@gmail.com" --domains="example.com" --domains="www.example.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache


sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh


# crontab -l |grep -v "#"
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
Enter fullscreen mode Exit fullscreen mode

Want to get more updates on this ??

-- Please reach out to letsencrypt community thread link below:

[+] Revoking certain certificates on March 4 : https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864/147

Regards,
Dinesh Rathee
[+] https://dev.to/dineshrathee12
[+] https://github.com/dineshrathee12
[+] https://www.linkedin.com/in/%E2%80%8Bdineshrathee12

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (2)

Collapse
 
skyandsand profile image
Chris C

I'm not sure if this would be related but coincidentally our entire VPN Cisco infrastructure went to hell today.

I would assume these are responsible =/

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

++ community.letsencrypt.org/t/revoki...

Add it to thread .. They might look into ;)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more