Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

try checking cert revocation status unconditionally #865

Open
bjacke opened this issue Feb 1, 2022 · 2 comments
Open

try checking cert revocation status unconditionally #865

bjacke opened this issue Feb 1, 2022 · 2 comments

Comments

@bjacke
Copy link

bjacke commented Feb 1, 2022
edited

it happens from time to time, that CAs revoke certificates, like recently Letsencrypt: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/

Many people will not notice if their certificate got revoked. Dehydrated also doesn't notice that currently. That's bad, because that means that the user will have a revoked certificate installed until it actually grows old enough to get renewed by dehydrated.

I propose that dehydrated always tries to fetch the current OCSP status of current certificates and renews them if the OCSP reply indicates that the certificate was revoked.
@alainwolf
Copy link

At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.

From: noreply@letsencrypt.org
Date: Wed, 26 Jan 2022 06:49:08 +0000
Subject: [Urgent] Let's Encrypt revocations affecting your TLS certificates

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

1234567

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

https://community.letsencrypt.org/t/170449

Thank you,

The Let's Encrypt Team

@bjacke
Copy link
Author

bjacke commented Feb 1, 2022

At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.
yes but even for LE a contact mail address is optional. And of course manual interaction to get such a situation fixed is not ideal, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bjacke @alainwolf