18 votes

Let's Encrypt is revoking about 2.6% of active certificates on March 4th due to a bug in their CAA code

8 comments

  1. [3]
    emdash
    Link
    I'm one of the lucky 2.6%! My personal sites and subdomains are all affected. Thankfully the certbot tool makes retrieving a new certificate dead easy. I'm just glad I don't have to ssh into a...

    I'm one of the lucky 2.6%! My personal sites and subdomains are all affected. Thankfully the certbot tool makes retrieving a new certificate dead easy. I'm just glad I don't have to ssh into a dozen other servers to repeat the same task.

    13 votes
    1. jcdl
      Link Parent
      Mine too. Thankfully all of the domains and subdomains affected were on the same machine, which made it easy.

      Mine too. Thankfully all of the domains and subdomains affected were on the same machine, which made it easy.

      3 votes
    2. xstresedg
      Link Parent
      I read this in the way that a Youtuber would initiate an sponsored advertisement lol But yay for easy certification fixing!

      Thankfully the certbot tool makes retrieving a new certificate dead easy.

      I read this in the way that a Youtuber would initiate an sponsored advertisement lol

      But yay for easy certification fixing!

      2 votes
  2. Deimos
    Link
    Here's the incident report posted on Mozilla's bug tracker, which explains a lot more about what happened and the cause ("a common mistake in Go: taking a reference to a loop iterator variable"):...

    Here's the incident report posted on Mozilla's bug tracker, which explains a lot more about what happened and the cause ("a common mistake in Go: taking a reference to a loop iterator variable"): https://bugzilla.mozilla.org/show_bug.cgi?id=1619047#c1

    8 votes
  3. [2]
    Keegan
    Link
    Much better title @Deimos. Thank you!

    Much better title @Deimos. Thank you!

    5 votes
    1. Deimos
      Link Parent
      No problem, thanks for posting! I used the tool they mentioned to validate that Tildes's certificate is fine, so that's good to know. I'm curious if any major sites are going to get hit by this...

      No problem, thanks for posting! I used the tool they mentioned to validate that Tildes's certificate is fine, so that's good to know. I'm curious if any major sites are going to get hit by this tomorrow.

      8 votes
  4. ffmike
    Link
    Took a few minutes to check all of the sites that I'm responsible for, but I applaud LetsEncrypt for doing the responsible thing here. People are going to complain when they get security warnings...

    Took a few minutes to check all of the sites that I'm responsible for, but I applaud LetsEncrypt for doing the responsible thing here. People are going to complain when they get security warnings from some of the stragglers today, but the alternative could be much worse.

    5 votes
  5. Deimos
    (edited )
    Link
    Let's Encrypt decided not to revoke most of the certificates, since over 1 million still seemed like they weren't going to be replaced by the deadline:...

    Let's Encrypt decided not to revoke most of the certificates, since over 1 million still seemed like they weren't going to be replaced by the deadline: https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/3

    They revoked about 1.7M that seemed to have been updated, as well as 445 that they found that received a certificate they shouldn't have been able to get, due to the bug.

    3 votes