Let's Encrypt certificate revocations 3-4 March 2020

Hi folks!

We are aware of Let’s Encrypt’s announcement this morning regarding urgently revoking many of their issued certificates, and that this may cause concern for some of you. We totally understand those concerns.

Our team is already launched into the work to renew all affected certificates that we automatically created for your sites. There were about 6,000 affected certificates, and our team has already begun renewing all of those certificates and the work should be complete by 0000 UTC 4 March. If that timeline should change, we will update this thread.

Please note this covers ONLY UP-TO-DATE certificates that our system created for you and uses for your Netlify-hosted websites! If you have for some reason created your own Let’s Encrypt certificate and uploaded it as a custom certificate, you will need to update it yourself, if you are affected! You will need to do the same thing for any certificates that Netlify does not host, for other services.

As Netlify hosts https://letsencrypt.org and partners with that team, we are fortunate to have team members from LE posting in our community. They’ve lifted rate limits to allow bulk renewals to enable our work today, so kudos to that team for dealing with a very large problem in the best way they can. :muscle:

If you have questions or concerns, please let us know in a comment below.

5 Likes

Update: We are still working to finish certificate renewals; several thousand sites are still in the queue for renewal and we are working through the backlog as fast as possible.

We are not certain how fast Let’s Encrypt will start revoking certificates, so there is as yet no observed downtime, but it may occur and we will update here again if so.

@fool,

We’ll be posting an announcement via our status page prior to the revocations starting. I’ll pin this tab and give you an @ mention as well.

3 Likes

Update: We are down to a few hundred certificates remaining to be renewed and the team continues to work on the remaining sites.

1 Like

Some good news from the Let’s Encrypt team:

In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST).

(from https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864)

So - nobody’s site should be broken for around 14 hours by which we should have all certs renewed.

1 Like

We are down to a single team potentially affected and we are actively in communication with people from that team about our work to update the SSL certificates for their sites.

Even for that team, we do believe that all certificates will be updated before the revocations of the previous SSL certificates begins. We will continue the communication and follow up with that team outside of community.

4 Likes

To close this loop: we did manage to successfully complete all renewals in advance of the beginning of revocations.

3 Likes

Big thanks to @keiko @marcus and @ricbartm for doing a TON of work and pulling long hours to get this done!! :muscle: :heart:

4 Likes