<div dir="ltr">Luckily I am using Traefik to handle my certs and they made it a little less painful.  If anyone else is see below from them.<div><br></div><div><div class="gmail-_2FCtq-QzlfuN-SwVMUZMM3 gmail-_2v9pwVh0VUYrmhoMv1tHPm gmail-t3_fcxv8x" style="margin:0px 8px 8px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;font-size:medium;line-height:inherit;font-family:IBMPlexSans,Arial,sans-serif;vertical-align:baseline;color:rgb(135,138,140)"><div class="gmail-y8HYJ-y_lTUHkQIc1mdCq gmail-_2INHSNB8V5eaWp4P0rY_mE" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;display:inline;word-break:break-word"><div class="gmail-_2SdHzo12ISmrC8H86TgSCp gmail-_29WrubtjAcKqzJSPdQqQ4h" style="margin:0px;padding:0px 5px 0px 0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:20px;line-height:24px;font-family:inherit;vertical-align:baseline;display:inline"><h1 class="gmail-_eYtD2XCVieq6emjKBH3m" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;display:inline">ALERT: Lets Encrypt CAA Bug</h1></div></div><div class="gmail-_1hLrLjnE1G_RBCNcN9MVQf" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline"><img alt="" src="https://www.redditstatic.com/desktop2x/img/renderTimingPixel.png" style="margin: 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; width: 1px; height: 1px;"></div></div><div class="gmail-_3xX726aBn29LDbsDtzr_6E gmail-_1Ap4F5maDtT1E1YuCiaO0r gmail-D3IL3FD0RFy_mkKLPwL4" style="margin:12px 0px 0px 8px;padding:5px 16px 5px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;font-size:medium;line-height:inherit;font-family:IBMPlexSans,Arial,sans-serif;vertical-align:baseline;max-width:800px;color:rgb(135,138,140)"><div class="gmail-_292iotee39Lmt0MkQZ2hPV gmail-RichTextJSON-root" style="padding:0px 0px 1px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:14px;line-height:21px;font-family:"Noto Sans",Arial,sans-serif;vertical-align:baseline;word-break:break-word;overflow:auto;color:rgb(26,26,27)"><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0px 0px 0.25em;border:0px;font:inherit;vertical-align:baseline">On February 29th, Let's Encrypt found a bug in Boulder affecting their CAA verification.</p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">As a result, Lets Encrypt will revoke the affected certificates by March 4th.</span></p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Once the certificates are revoked, service interruption is inevitable.</span></p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline">Traefik has released a small CLI tool to avoid that in case Traefik handles your Lets Encrypt certificates.</p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline">The small tool will scan your acme.json file for affected certificates and drop them out of the file. Afterwards, the only thing required is to quickly restart your Traefik container so it can run a renewal process and gets you a new, valid cert.</p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">You can find the cli tool here:</span></p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline"><a href="https://github.com/containous/acme-fixer/releases" class="gmail-_3t5uN8xUmg0TOwRCOGQEcU" rel="noopener noreferrer nofollow ugc" target="_blank" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">GitHub</span></a></p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline">Or as a docker image:</p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline"><a href="https://hub.docker.com/r/containous/acme-fixer" class="gmail-_3t5uN8xUmg0TOwRCOGQEcU" rel="noopener noreferrer nofollow ugc" target="_blank" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Docker Image</span></a></p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0.25em;border:0px;font:inherit;vertical-align:baseline">Documentation:</p><p class="gmail-_1qeIAgB0cPwnLhDF9XSiJM" style="margin:0px;padding:0.8em 0px 0px;border:0px;font:inherit;vertical-align:baseline"><a href="https://github.com/containous/acme-fixer" class="gmail-_3t5uN8xUmg0TOwRCOGQEcU" rel="noopener noreferrer nofollow ugc" target="_blank" style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline"><span class="gmail-_12FoOEddL7j_RgMQN0SNeU" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:700;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Docs</span></a></p></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 3, 2020 at 8:33 PM Rocco Laudadio <<a href="mailto:testing1567@gmail.com">testing1567@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I spend a few hours at work today doing nothing but regenerating Let's Encrypt certificates</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 3, 2020, 8:26 PM Lee Wilbur <<a href="mailto:leew@multiverseit.com" target="_blank">leew@multiverseit.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">



<div>
<div dir="auto">
<div dir="auto">Thought folks might be interested in this story...</div>
<div dir="auto"><br>
</div>
<a href="https://www.theregister.co.uk/2020/03/03/lets_encrypt_cert_revocation/" rel="noreferrer" target="_blank">https://www.theregister.co.uk/2020/03/03/lets_encrypt_cert_revocation/</a><br>
<br>
-Lee<br>
<br>
</div>
</div>

_______________________________________________<br>
Lilug mailing list<br>
<a href="mailto:Lilug@lists.lilug.org" rel="noreferrer" target="_blank">Lilug@lists.lilug.org</a><br>
<a href="http://lists.lilug.org/listinfo.cgi/lilug-lilug.org" rel="noreferrer noreferrer" target="_blank">http://lists.lilug.org/listinfo.cgi/lilug-lilug.org</a><br>
</blockquote></div>
_______________________________________________<br>
Lilug mailing list<br>
<a href="mailto:Lilug@lists.lilug.org" target="_blank">Lilug@lists.lilug.org</a><br>
<a href="http://lists.lilug.org/listinfo.cgi/lilug-lilug.org" rel="noreferrer" target="_blank">http://lists.lilug.org/listinfo.cgi/lilug-lilug.org</a><br>
</blockquote></div>