Let's Encrypt SSL/TLS certificates may require manual update

As highlighted in the forums by Sean, Let's Encrypt recently discovered a bug in their Certificate Authority (aka CAA). The implication of this is that some of the certificates that they have issued, they shouldn't have! So to resolve this, they will be revoking the affected certificates, starting Wednesday, March 4th 2020, 00:00 UTC.

It's highly unlikely that you have been granted a certificate that you shouldn't, so renewing your certificate should resolve the issue. Apparently it only affects certificates issued within the last month, so if you know for sure that your cert hasn't been recently updated, then you should be good. If you want to be on the safe side and manually force a certificate update regardless, then that's a fine option and please do so. If you want to double check for sure before you do anything, then I cover that directly below.

Am I affected?

If you are using Let's Encrypt SSL/TLS certificates for your website (or mailserver or other web service) then you may be affected. If you wish to be sure, then there are a few different ways that you can check. Please note though, that forcing a certificate renewal is pretty easy and won't do any harm (if it fails, then there was likely already an issue). So if you'd rather just be on the safe side, please feel free to just force a renewal.

Check via online tool

The first is to input your website URL into the online tester. That will be pretty handy to check a single domain/certificate, or even a couple should be pretty easy. If you have lots to check, then there are probably better/easier ways...

FWIW, the online tool can also be used to check via the command line (change 'example.com' to your domain):

curl -XPOST -d 'fqdn=example.com' https://checkhost.unboundtest.com/checkhost

Check against the list

Another way to check is to download the list of affected certificates (as noted on this LE doc page) and search it for your domain. So first download the list (it's ~315MB so might take a minute or 2):

wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz

Then use zgrep (like grep, but for gzipped files; alternatively un-gzip the file first) to check like this (change 'example.com' to your domain):

zgrep example.com caa-rechecking-incident-affected-serials.txt.gz

It is also possible to get the serial number of your certificate and use that to check against this list. Personally, I think one of the other methods are preferable. But if you are keen for that, the layout of the caa-rechecking-incident-affected-serials.txt.gz file is noted on the relevant LE page and you can get the serial of your certificate like this (again, change 'example.com' to your domain):

DOMAIN=example.com
openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} -showcerts /null 2>/dev/null \
    | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

Tool to use if you have lots of certs to check

If you have lots of certs to check, then Let's Encrypt recommend this tool from GitHub. I have no experience with it and can't really comment further, but sounds like it could be worth a try if you have a lot of certs you wish to check.

Force certificate renewal

Please note that I'm only covering TurnKey Linux's Confconsole Let's Encrypt integration here. If you used some other method to get your Let's Encrypt certificate, then please check their documentation on how to force an certificate renewal.

I'll cover double checking that you have the appropriate version, and how to update if you don't (your certs are possibly already broken if that's the case). But if you feel confident that everything is good with Confconsole and Dehydrated (the tool that Confconsole leverages to get the LE certificates) then please jump straight to the specific command.

Check you have the right versions

First up, double check that you have Confconsole v1.1.2 & Dehydrated v0.6+. Apt is the best tool to use for this check, so first update your package lists (if you aren't running as root, all these commands should be prefaced with 'sudo'):

apt update

Then check version like this:

apt policy confconsole dehydrated

Here's what I get on a v15.x server I have running (and you should get the same):

confconsole:
  Installed: 1.1.2
  Candidate: 1.1.2
  Version table:
 *** 1.1.2 100
        100 /var/lib/dpkg/status
     1.1.0+2+g6c2aad9 999
        999 http://archive.turnkeylinux.org/debian stretch/main amd64 Packages
dehydrated:
  Installed: 0.6.2-2+deb10u1~deb9u1
  Candidate: 0.6.2-2+deb10u1~deb9u1
  Version table:
 *** 0.6.2-2+deb10u1~deb9u1 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

If you look at the relevant lines that start "Installed:", you can see that I have Confconsole v1.1.2 installed and Dehydrated v0.6.2-2+deb10u1~deb9u1. That's what you should have too (although if you have newer, then that's fine too).

If you do not have at least Dehydrated v0.6, then please update like this:

apt install dehydrated

FWIW previously 'stretch-backports' was required to install an up to date version of Dehydrated, however, the right version has been migrated to 'stretch main'. If you don't have at least Confconsole v1.1.2 installed, please follow the instructions on the Confconsole v1.1.2 release notes. (If you've just updated Dehydrated, you can skip step #2).

Force TurnKey Dehydrated Wrapper to renew certificate

Assuming that Confconsole and Dehydrated are up to date, then you can force TurnKey Dehydrated Wrapper to renew certificates (regardless of certificate expiry date) like this:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper --force

Any problems or feedback?

If you hit any issues or have any feedback for us, please feel free to post a comment below, or open a new thread on the forums (free website user account required).