Hosted Service Inaccessible due to Certificate Revocations

Question

Hosted Service Inaccessible due to Certificate Revocations

Closed this issue 3 years ago · 1 comments

Starting from today, some users have been reporting that they are unable to open eecsoh.eecs.umich.edu due to a HTTPS certificate issue. Investigation shows that the issue is likely caused by Let's Encrypt TLS-ALPN-01 Revocations:

❯ curl -X POST -d 'fqdn=eecsoh.eecs.umich.edu' https://tls-alpn-check.letsencrypt.org/checkhost
[eecsoh.eecs.umich.edu]: The certificate retrieved from your web server has serial 043d496d6159ef88e6b2655a5c2e2b7610c1 and was found in our affected data set. Please renew your certificate as soon as possible. Help is available at https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449

Answer 1 · 2022-01-29T19:52:08.000Z

Thanks for the heads up here! I was actually fully aware of this revocation event and had fixed it in another (unrelated) setting, but while I saw that Caddy automatically attempts to renew when it sees a revocation via OCSP, I didn't realize that this feature was introduced in a version newer than the one that was serving the site. (I also didn't catch this via monitoring as browsers are really the only clients which check CRLs.) This has been fixed now.