Letsencrypt SSL Certificate CAA Bug Check
Spanish/Español
Chinese/中文
Node hosters using Letsencrypt SSL certificates might have to renew their certificates by 2020-03-04
We've just become aware of a critical security issue that forces Letsencrypt to renew a subset of issued SSL certificates.
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864
How to determine if you are affected by this?
Follow the instructions bellow
Will any nodes affected by this issue miss out on rewards?
No, we will be excluding any exceptions caused by the issue until Sunday, 2020-03-08. This is a developing situation we do not yet know what the complete impact to the node tracking system will be, we will provide further updates as the situation develops.
Description | Command | |
|---|---|---|
| 1 | Create bash script file using nano to check if your node's SSL certificate is affected by this bug. | Create a file named le_check_nodes.sh using nano nano ~/le_check_nodes.shCopy this entire block of text and paste it into your nano editor #!/bin/bash
SERIALS="https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz"
caa_file="./caa-rechecking-incident-affected-serials.txt.gz"
if [ ! -f "${caa_file}" ]; then
(wget -O- "$SERIALS" || curl -L "$SERIALS") > "${caa_file}"
fi
if ! command -v openssl > /dev/null 2>&1; then
echo "Please install openssl."
exit 1
fi
while read -r node; do
serial="$(timeout 5 openssl s_client -connect "${node}" -showcerts </dev/null 2>/dev/null |
openssl x509 -text -noout 2>/dev/null |
grep -A 1 Serial\ Number | tr -d : | tail -n 1 | tr -d ' ')"
if [ -z "${serial}" ]; then
echo "Error, could not get certificate info for node ${node}!"
continue
fi
if zgrep -q "$serial" "${caa_file}"; then
echo "WARNING! Certificate $serial for node ${node} has to be renewed!"
else
echo "Certificate $serial for node ${node} is OK!"
fi
serial=""
done < "${1:-/dev/stdin}"
rm "${caa_file}"Save and exit from nano by hitting CTRL + X, then type y and hit <enter> |
| 2 | Make script executable | Use chmod to make the script executable chmod +x ~/le_check_nodes.sh |
| 3 | Execute script using your node's port number and check for output "Certificate for node FQDN:9033 is OK!" Note: If you're using a different port to 9033, modify as necessary. | Execute script. echo $FQDN:9033 | ~/le_check_nodes.sh |
| 4 | YOU ONLY NEED TO RUN THE FOLLOWING... If Certification check is NOT OK! | |
| 5 | Execute the force renew command to renew your certs. Note: The systemd unit file for zend should automatically restart zend. | Force certbot to renew your SSL certificates sudo certbot renew --force-renewal |