82 lines
4.0 KiB
HTML
82 lines
4.0 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml"><head>
|
|
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<link rel="stylesheet" href="main.css" type="text/css" />
|
|
<link rel="stylesheet" href="blog.css" type="text/css" />
|
|
<link rel="alternate" type="application/rss+xml" title="Subscribe to this page..." href="feed.rss" />
|
|
<title>Lets encrypt kerfuffle</title>
|
|
</head><body>
|
|
<div id="divbodyholder">
|
|
<div class="headerholder"><div class="header">
|
|
<div id="title">
|
|
<h1 class="nomargin"><a class="ablack" href="http://zigford.org/index.html">zigford.org</a></h1>
|
|
<div id="description"><a href="about.html">About</a><a href="links.html"> | Links</a><a href="scripts.html"> | Scripts</a><br>Sharing linux/windows scripts and tips</br></div>
|
|
</div></div></div>
|
|
<div id="divbody"><div class="content">
|
|
<!-- entry begin -->
|
|
<h3><a class="ablack" href="lets-encrypt-kerfuffle.html">
|
|
Lets encrypt kerfuffle
|
|
</a></h3>
|
|
<!-- bashblog_timestamp: #202003102035.26# -->
|
|
<div class="subtitle">March 10, 2020 —
|
|
Jesse Harris
|
|
</div>
|
|
<!-- text begin -->
|
|
<p>Let's encrypt had a kerfuffle last week by accidentally not checking CAA DNS
|
|
records of domains it had requests for.</p>
|
|
<hr />
|
|
<p>CAA records are a way of recording who your domain will accept certificates to
|
|
be generated by. As an example, use <code>dig</code> to lookup the CAA of <code>usc.edu.au</code>:</p>
|
|
<pre><code> # dig CAA usc.edu.au +short
|
|
0 iodef "mailto:ssladmin@usc.edu.au"
|
|
0 issue "quovadisglobal.com"
|
|
0 issuewild "quovadisglobal.com"
|
|
</code></pre>
|
|
<p>In this case, a CA other than quovadisglobal will refuse to generate a
|
|
certificate for usc.edu.au.</p>
|
|
<p>The bug with Let's Encrypt was that they were not checking the CAA record every
|
|
time, and therefore some of those certificates might not have been correct to
|
|
generate.</p>
|
|
<p>My site <a href="https://zigford.org">zigford.org</a> uses a Let's Encrypt certificate, but
|
|
since using <a href="https://cloudflare.com">cloudflares</a> free DNS offerring, you'll
|
|
likely see their certificate when you visit my site. Nonethelsee my site could
|
|
have been affected and I was interested to see if it were so.</p>
|
|
<p>Since Let's Encrypt certs expire very quickly (90 days I think?), it's the type
|
|
of thing that begs to be automated. Let's encrypt decided to revoke all
|
|
certificates issued during the presence of the bug and thankfully according to
|
|
<a href="https://www.wired.com/story/lets-encrypt-internet-calamity-that-wasnt/">this wired article</a>
|
|
Certbot users should be pretty much unaffected as the tool will check if a
|
|
revocation has happened.</p>
|
|
<p>So I checked through my logs and sadly, no, I was not affected. Here is what it
|
|
looks like when certbot detects your certificate is going to expire shortly
|
|
anyway (date stamps removed for brevity):</p>
|
|
<pre><code> journalctl -u certbot-renew
|
|
|
|
Cert is due for renewal, auto-renewing...
|
|
Non-interactive renewal: random delay of 61.05961969260669 seconds
|
|
NGINX configured with OpenSSL alternatives is not officiallysupported by Certbot.
|
|
Plugins selected: Authenticator nginx, Installer nginx
|
|
Renewing an existing certificate
|
|
Performing the following challenges:
|
|
http-01 challenge for www.zigford.org
|
|
http-01 challenge for zigford.org
|
|
Waiting for verification...
|
|
Cleaning up challenges
|
|
</code></pre>
|
|
<p>Moral of the story? Use automation maybe?</p>
|
|
<p>Tags: <a href='tag_certs.html'>certs</a>, <a href='tag_lets-encrypt.html'>lets-encrypt</a></p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- text end -->
|
|
<!-- entry end -->
|
|
</div>
|
|
<div id="footer">© <a href="http://twitter.com/zigford_org">Jesse Harris</a> — <a href="mailto:jesse@zigford.org">jesse@zigford.org</a><br/>
|
|
Generated with <a href="https://github.com/cfenollosa/bashblog">bashblog</a>, a single bash script to easily create blogs like this one</div>
|
|
</div></div>
|
|
</body></html>
|