Letsencrypt have announced that they will revoke 3 million certs tomorrow (4-March-2020). Which means they will be blacklisted on OCSP and the CA’s revocation list and most browsers will complain.
You can check if your domain is affected here:
https://unboundtest.com/caaproblem.html
It looks like the cert for my netlify site is affected.
So, I clicked the Site Settings → Domain Management → Renew certificate button.
The status said “updated today”, but nothing actually happened. My site did not get updated with a new cert. (I waited for hours).
Then I added a new CNAME domain to my site, clicked the renew certificate button and my site instantly got a new cert.
I then tried to remove that dummy CNAME again - and to my surprise my site did not get a new cert, but somehow the old cert (the very first one, affected by the letsencrypt issue) was back. Which means netlify did not only not delete the private key for it (which I think is a security issue of its own) but it also means there is a cert cache that you cannot flush, which can be a problem in cases where you really need to replace a cert for security reason, even though it’s still valid (like in this case).
Question to support: Did I do anything wrong?
Bug report/feature request to engineering: Please consider adding a “Force Renew Certificate” and “Delete all private keys” button.
TL’DR: Advice to anyone who ended up here because their netlify site is affected by the letsencrypt mass revocation: Add and keep a dummy CNAME domain to your netlify site and click the “Renew certificate” button in your site’s settings. This will get you a new letsencrypt cert.
Update1: Netlify have acknowledged below that they will take care of the issue for all users (see below).
