How to force renewal of buggy Let's Encrypt Certificates?

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Wed Mar 04, 2020 11:55 am    Post subject: How to force renewal of buggy Let's Encrypt Certificates? Reply with quote

This is only of interest to those using free ACME certificates from Let's Encrypt.

The certification authority Let's Encrypt delivering free SSL/TLS certificates to Abyss Web Server's ACME-Bot, has discovered a bug in their way of dealing with some issued certificates.

Due to this bug, they are revoking the bad certificates effective March 4, 2020. If you have used your email address when declaring the ACME-Bot account, they may have sent you an email like the following:

Quote:
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you're not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.

If you are using Certbot, the command to renew is:

certbot renew --force-renewal

If you need help, please visit our community support forum:
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Please search thoroughly for a solution before you post a new question. Let's
Encrypt staff will help our community try to answer unresolved questions as
quickly as possible.


Your affected certificate(s), listed by serial number and domain names:
...


If you have not received the email or if in doubt, use the site https://checkhost.unboundtest.com/ to test if Let's Encrypt issued a certificate for your host name that is affected by the bug.

To fix the issue, the only required action is forcing ACME-Bot in Abyss Web Server to get you new bug-free certificates from Let's Encrypt. Fortunately, this is easy to do:

* Open the sub-directory kcstore inside Abyss Web Server installation directory.

* Remove from that subdirectory all files ending with the extension .acme.crt . Do not remove other files ending with .crt or .key !

* Now restart Abyss Web Server and the ACME-Bot will take a few seconds to get new certificates instead of the deleted ones. That's it.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com


Last edited by admin on Wed Mar 04, 2020 5:42 pm; edited 1 time in total
Back to top View user's profile Send private message
devastator82
-


Joined: 10 Mar 2006
Posts: 31
Location: Lithuania

PostPosted: Wed Mar 04, 2020 3:01 pm    Post subject: Reply with quote

Thank you for that easy solution.
I didn't wanted to remove config file and configure again.
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Wed Mar 04, 2020 5:45 pm    Post subject: Reply with quote

devastator82 wrote:
Thank you for that easy solution.
I didn't wanted to remove config file and configure again.


You're welcome.

As a side note, with Abyss Web Server, all problems can get solved without reinstalling or re-configuring again.

abyss.conf file is pretty solid. Some users have configuration files that survived incremental upgrades from the first versions in early 2000s until now (and they are getting silently upgraded with each version without any trouble.)
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group