Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2020-03-04 11:44:07
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 553
Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
I just came across the following today regarding Lets Encrypt certificates:
On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug.
According to Let’s Encrypt
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
I was on my way to mention the same issue. Here [Ars Technica] is another write-up.
A tool that helps verify if your certs are affected.
Last edited by phiw13 (2020-03-04 12:05:25)
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
For completeness, I’ve checked all the Textpattern sites, we’re not affected.
That said, since the LE rate limit has been temporarily upped, I’ve force-renewed all our certs without issue. I’ve never had to force-renew any LE certs, so it was a useful contingency/emergency exercise.
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
Was just reading your LE notes elsewhere, Pete, and, not really getting my head around it all but being an LE user, was wondering if it suggests some kind of certs headache I will have soon?
As it is now, my host has a setup in their control panel making it stupid easy to renew certs. I guess any change to renewing would be taken into account by them and their renewal script.
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
Destry wrote #327225:
As it is now, my host has a setup in their control panel making it stupid easy to renew certs. I guess any change to renewing would be taken into account by them and their renewal script.
I would say so, yes. Any host worth their salt will know about this, especially the ones who leverage LE so extensively.
The reactive stuff in this thread was back in March and didn’t affect us. The other stuff is more prescient and there’s been plenty of warning from LE – at least a year – about it coming.
Frankly, I’m not expecting any snags. In real terms, anyone using an old-old version of iOS will have issues with Safari on an increasing number of sites anyway, not just LE-powered TLS ones.
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
Destry wrote #327225:
I guess any change to renewing would be taken into account by them and their renewal script.
If it helps, the LE cert for one domain was renewed yesterday and, assuming I understand it correctly, it now uses the “new“ cert chain (ISRG Root X1). Host is Dreamhost in this case. Everything was smooth, no warning and so on. For all my other domains (various hosting services) we’ll have to wait a little bit longer, as those certs are not yet up for renewal.
So yeah, your host just needs to change a few lines in their script(s), you won’t even notice it…
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
phiw13 wrote #327227:
So yeah, your host just needs to change a few lines in their script(s), you won’t even notice it…
Actually, they don’t have to. They can, to force the change to ISRG Root X1 sooner, but from 11 January 2021 this will happen automatically.
You (they, anyone piloting an ACME client) can force a preferred cert chain with, e.g.:
sudo certbot -d example.com --preferred-chain "DST Root CA X3"
(Add in the new stuff released with certbot
in the last few days and you can also shoehorn in --key-type
and --elliptic-curve
options to really go hog wild.)
Really the only people affected by this will be old-old iOS people and old-old Android people, and certainly in the case of Android there’s a Firefox-shaped workaround. Those iOS people…not so sure.
I mentioned it here since I know some regulars use exotic browsers and operating systems, and at least this way there’s a heads-up as to what’s happening.
I’m working on improving my web ops bedside manner, I think that’s the bigger picture.
Offline