Letsencrypt SSL Certificate CAA Bug Check

Owned by Nathan Bode (Unlicensed)
Last updated: Mar 05, 2020 by @ cronic
3 min read

Expand all   Collapse all

Languages
  • Spanish/Español
  • Chinese/中文

Node hosters using Letsencrypt SSL certificates might have to renew their certificates by 2020-03-04

We've just become aware of a critical security issue that forces Letsencrypt to renew a subset of issued SSL certificates.

https://arstechnica.com/information-technology/2020/03/lets-encrypt-revoking-https-certs-due-to-certificate-authority-bug/

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

How to determine if you are affected by this?
Follow the instructions bellow

Will any nodes affected by this issue miss out on rewards?

No, we will be excluding any exceptions caused by the issue until Sunday, 2020-03-08. This is a developing situation we do not yet know what the complete impact to the node tracking system will be, we will provide further updates as the situation develops.


DescriptionCommand
1Create bash script file using nano to check if your node's SSL certificate is affected by this bug.

Create a file named le_check_nodes.sh using nano

nano ~/le_check_nodes.sh

Copy this entire block of text and paste it into your nano editor

#!/bin/bash
SERIALS="https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz"

caa_file="./caa-rechecking-incident-affected-serials.txt.gz"
if [ ! -f "${caa_file}" ]; then
  (wget -O- "$SERIALS" || curl -L "$SERIALS") > "${caa_file}"
fi

if ! command -v openssl > /dev/null 2>&1; then
  echo "Please install openssl."
  exit 1
fi

while read -r node; do
  serial="$(timeout 5 openssl s_client -connect "${node}" -showcerts </dev/null 2>/dev/null |
          openssl x509 -text -noout 2>/dev/null |
          grep -A 1 Serial\ Number | tr -d : | tail -n 1 | tr -d ' ')"
  if [ -z "${serial}" ]; then
    echo "Error, could not get certificate info for node ${node}!"
    continue
  fi
  if zgrep -q "$serial" "${caa_file}"; then
    echo "WARNING! Certificate $serial for node ${node} has to be renewed!"
  else
    echo "Certificate $serial for node ${node} is OK!"
  fi
  serial=""
done < "${1:-/dev/stdin}"
rm "${caa_file}"

Save and exit from nano by hitting CTRL + X, then type y and hit <enter>

2Make script executable

Use chmod to make the script executable

chmod +x ~/le_check_nodes.sh
3

Execute script using your node's port number and check for output "Certificate for node FQDN:9033 is OK!"

Note: If you're using a different port to 9033, modify as necessary.

Execute script.

echo $FQDN:9033 | ~/le_check_nodes.sh
Example Output

zenops@node01:~$ echo $FQDN:9033 | ~/le_check_nodes.sh
--2020-03-03 22:08:28-- https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz
Resolving d4twhgtvn0ff5.cloudfront.net (d4twhgtvn0ff5.cloudfront.net)... 143.204.238.131, 143.204.238.163, 143.204.238.100, ...
Connecting to d4twhgtvn0ff5.cloudfront.net (d4twhgtvn0ff5.cloudfront.net)|143.204.238.131|:9033... connected.
HTTP request sent, awaiting response... 200 OK
Length: 330820804 (315M) [text/plain]
Saving to: ‘STDOUT’

- 100%[=======================================================>] 315.50M 23.6MB/s in 13s

2020-03-03 22:08:41 (24.2 MB/s) - written to stdout [330820804/330820804]

08d488862a9b004707bb219ef5643033ea78
Certificate for node node01.zentest.win:9033 is OK!


YOU ONLY NEED TO RUN THE FOLLOWING... If Certification check is NOT OK!
4

Execute the force renew command to renew your certs.

Note: The systemd unit file for zend should automatically restart zend.

Force certbot to renew your SSL certificates

sudo certbot renew --force-renewal
Example Output

WARNING! Certificate for node node01.zentest.win:9033 has to be renewed!
Error, could not get certificate info for node node01.zentest.win:9033!
zenops@node01:~$ sudo certbot renew --force-renewal
[sudo] password for zenops:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/node01.zentest.win.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: systemctl stop zend
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: systemctl restart zend

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/node01.zentest.win/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/node01.zentest.win/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl start zend




© 2020 Horizen. All rights reserved.