BUG? - letsencrypt revokes 3 million certs on 4-March-2020 - renewal issue on netlify due to cert caching?

Letsencrypt have announced that they will revoke 3 million certs tomorrow (4-March-2020). Which means they will be blacklisted on OCSP and the CA’s revocation list and most browsers will complain.

You can check if your domain is affected here:
https://unboundtest.com/caaproblem.html

It looks like the cert for my netlify site is affected.

So, I clicked the Site Settings -> Domain Management -> Renew certificate button.
The status said “updated today”, but nothing actually happened. My site did not get updated with a new cert. (I waited for hours).

Then I added a new CNAME domain to my site, clicked the renew certificate button and my site instantly got a new cert.

I then tried to remove that dummy CNAME again - and to my surprise my site did not get a new cert, but somehow the old cert (the very first one, affected by the letsencrypt issue) was back. Which means netlify did not only not delete the private key for it (which I think is a security issue of its own) but it also means there is a cert cache that you cannot flush, which can be a problem in cases where you really need to replace a cert for security reason, even though it’s still valid (like in this case).

Question to support: Did I do anything wrong?

Bug report/feature request to engineering: Please consider adding a “Force Renew Certificate” and “Delete all private keys” button.

TL’DR: Advice to anyone who ended up here because their netlify site is affected by the letsencrypt mass revocation: Add and keep a dummy CNAME domain to your netlify site and click the “Renew certificate” button in your site’s settings. This will get you a new letsencrypt cert.

Update1: Netlify have acknowledged below that they will take care of the issue for all users (see below).

Hey @christian - thanks for this. We are aware of the issue and currently working on it. We’ll post an update here as as soon as we have something to share! :muscle:

I have one more bit of information to share:
We will take care of this for all affected certificates provisioned through our platform.
There are no steps required for Netlify users based on this situation right now.

4 Likes

Hi, Jacob from the Let’s Encrypt team here. I just wanted to say - @marcus, to you and your team, thanks for handling this for your users, and sorry for the hassle this causes you. :heart:

2 Likes

thanks for the kind words, @jsha! It’s appreciated - and I know our customers appreciate you being in here and saying so :+1:

2 Likes

thanks for the acknowledgement @perry @marcus - much appreciated.

2 Likes

We’ve also put a more official update over here: Let's Encrypt certificate revocations 3-4 March 2020 which we’ll tweet out shortly from all the addresses :slight_smile:

3 Likes