New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Urgent] Let's Encrypt revocations affecting your TLS certificates #4548
Comments
Caddy v2.4.2 and newer will automatically replace certificates that get revoked. Easiest thing for you to do is just upgrade Caddy, and keep it up-to-date (after proper testing of course)! Especially if you have customers relying on it. I'd also recommend getting a sponsorship to support your business needs and support the project so we can support you better. |
Upgrade Caddy ASAP, versions of Caddy before 2.4.2 would not correctly automatically renew revoked certificates. See here for more details: https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449/21 Once you've updated, you won't need to take any additional action. Edit: Dang, @mholt 🥷'd me 🤣 |
Thank you so much :) |
Unfortunately, this does not seem to work reliably. Two servers (Caddy v2.4.6) did not correctly recognize revoked certificates that need to be renewed. |
Same for me. Caddy 2.4.6 did not automatically renew revoked certificates. We are currently manually removing the affected certificates. @mholt |
It can take up to 4 days for the revocation to be recognized as it has to wait for the OCSP Staple to be halfway through its validity period. The cert will be acceptable until the Good OCSP response expires. |
As a workaround, I had to delete the files in |
@b-reich We need more details than that. What's your config, what's in your logs? |
Unfortunately I can not provide any logs as the Kubernetes Pod has already been removed. When it appears next time I will provide logs. We noticed the problem when customers complained that opening their sites in Chrome, Firefox etc. yields SSL errors (cert revoked). We solved it by removing the certificates from letsencrypt, so they are regenerated. They temporarily increased our rate limit after asked in the Community forums. |
You should probably persist/roll your logs somewhere in that case. That's not great. |
Here is my config. (Just randomize some private info)
I dont have any logs for this machine. Caddy was not configured to save the logs. (I have already generated new certificates) |
Caddy always emits logs by default. Without the logs, all we can do is guess, unfortunately. |
I just saw the latest CertMagic upgrade, as we are also Using OnDemand mode, I guess it might solve our issue in the next release: 599c81d |
@gbhrdt Maybe. The comments on the commit suggest that there's still a bug (because I wrote the patch around midnight when I was way too tired, but I tried): caddyserver/certmagic@9245be5 |
This PR might be better: caddyserver/certmagic#166 |
I checked all our LE certificates which use tls-apln-01. Here are our logs: As you can see, the cert for the |
All known revocation-related issues with certs not getting renewed should be fixed in CertMagic v0.15.3: https://github.com/caddyserver/certmagic/releases/tag/v0.15.3 This has been tested in production with thousands of domains and is known to work. Honestly, this feature was just a party trick (I still don't know of any other server that even tries to auto-renew revoked certificates) and it was just tricky to get it right to work in more intensive use cases. |
Hi @mholt, please forgive my dumb question: What can I do to get CertMagic 0.15.3 running on my Caddy servers? |
@owenconti Just build Caddy from the latest commit. You might find https://github.com/caddyserver/xcaddy helpful. |
@mholt ah, I didn't realize it was already updated in the Caddy repo. I'll try out the custom build now. Is there an ETA for |
I hope to tag a pre-release of 2.5 this month 🤞 |
I just received this email from LetsEncrypt, informing me that all the certificates issued by my caddy server will be revoked on the 28th of January, at 16:00 UTC.
I have caddy version 2.2.1 and the certificates are stored with the dynamodb module.
I am unsure how to re-issue the certificates and am a bit worried as it's affecting clients' custom domains in production.
Here is what my caddy config file looks like:
Thank you
The text was updated successfully, but these errors were encountered: