Jump to content

Let’s Encrypt discovers CAA bug, must revoke customer certificates


Karlston

Recommended Posts

certbot renew—force-renewal —

Let’s Encrypt discovers CAA bug, must revoke customer certificates

Let's Encrypt users will need to manually force-renew once to avoid downtime.

Unfortunately, most if not all Let's Encrypt users will need to manually force-renew their certificates before Wednesday. It's at least an easy process.
Enlarge / Unfortunately, most if not all Let's Encrypt users will need to manually force-renew their certificates before Wednesday. It's at least an easy process.
Adobe

On Leap Day, Let's Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

 

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain's DNS should prohibit it. As a result, Let's Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can't be certain are legitimate, saying:

Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you'll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.

 

If you're not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate.

Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

 

The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation—but CAA records specifically must be checked no more than eight hours prior to certificate issuance.

 

The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance.

 

Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4. Users whose certificates are scheduled to be revoked will need to manually force-renewal before then.

 

If an admin does not perform this manual renewal step, browsers reaching their websites will show TLS security warnings due to the revoked certificates. Let's Encrypt certificates are issued for 90-day intervals, and Certbot automatically renews them only when 30 days or less are left on the cert—so this could mean roughly two months of browser errors if the manual forced renewal isn't performed.

 

There are many, many ACME clients, and their procedures vary—but if you're using Certbot, all that's necessary is certbot renew --force-renewal once on the command line. Happily, it's a simple process—as the redacted shell session below demonstrates.

me@system76-pc:~$ ssh [email protected]
[email protected]'s password: 

root@web:~# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/web.redacted.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.redacted0.org
http-01 challenge for redacted0.org
http-01 challenge for redacted1.com
http-01 challenge for redacted2.net
http-01 challenge for redacted3.com
http-01 challenge for redacted4.com
http-01 challenge for redacted5.com
http-01 challenge for old.redacted0.org
http-01 challenge for redacted6.com
http-01 challenge for web.redacted.net
http-01 challenge for www.dev.redacted0.org
http-01 challenge for www.redacted0.org
http-01 challenge for www.redacted1.com
http-01 challenge for www.redacted.net
http-01 challenge for www.redacted3.com
http-01 challenge for www.redacted4.com
http-01 challenge for www.redacted5.com
http-01 challenge for www.redacted6.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/web.redacted.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
 /etc/letsencrypt/live/web.redacted.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Source: Let’s Encrypt discovers CAA bug, must revoke customer certificates (Ars Technica) 

Link to comment
Share on other sites


  • Replies 2
  • Views 877
  • Created
  • Last Reply

Let's Encrypt to revoke certain certificates on March 4

Let's Encrypt logo on a gold and blue background

 

Let’s Encrypt has announced that it will have to revoke many Let’s Encrypt TLS/SSL certificates from March 4. It’s currently in the process of emailing affected subscribers so that they can update their certificates. The need to revoke these certificates comes after a Certificate Authority Authorization rechecking bug was found.

 

In an email that has gone out to those with affected certificates, Let's Encrypt says:

 

"Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.

 

If you’re not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate. Your ACME client documentation should explain how to renew.”

 

 

If you use Let’s Encrypt certificates, you can use this tool to find out whether you’ll need to update your certificates. If it looks as though you need to update your certificates it’s advised that you read this thread and search the community forums if you have any questions. If you still have a question but don’t see anything appropriate you should head to the “Help” section on the Let’s Encrypt forum and ask the questions in the template as you compose your post.

 

The certificate revocations will begin from 00:00 UTC on March 4 which is less than 8 hours away. End users don’t have to worry too much about this, however, you may see security warnings on websites that have failed to renew their certificates.

 

Source

Link to comment
Share on other sites


Similar topics merged.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...