Let's Encrypt Certificate Revocation 4th of March 2020
FinVamp1 opened this issue · 2 comments
Between 20:00 UTC on 04 Mar 2020 and 03:00 UTC on 05 Mar 2020, Let's Encrypt will begin revoking 2.6% of their active certificates in-order to mitigate a security bug. See here for more information: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864
We're checking to see how Azure App Service customers could be affected,
Do you have any guidance for how to handle this issue?
We're recommending a re-install of the Site Extension at the moment,.
- Go the Site Extensions page at https://.scm.azurewebsites.net/letsencrypt/
- Copy down the relevant settings.
- Remove the Site Extension and re-install as per the recommended instructions.
I handled this by setting the "letsencrypt:RenewXNumberOfDaysBeforeExpiration" environment variable to 89. 89 being one day less that the 90 day lifetime of Let's Encrypt certificates. Anything larger then then number of days remaining on your certificate will work. The application will restart after you save the environment variables and the renewal web job will run on application startup. Once the app has restarted and the renewal web job has run you should either delete the environment variable or set it to something much closer to 0 (the default is 22.)
It would have been nice to pass a parameter to the web job renewal function to have it renew immediately but this work around isn't to terrible.
I just learned about this through this article:
https://www.wired.com/story/lets-encrypt-internet-calamity-that-wasnt/
I have several certs that expire on 6/2, so I assume LE was able to renew those certs before revoking the ones affected since 90-days from 3/4 is 6/2.
I have other active certs that expire in a few days, so I'm not sure whether I should change the environmental variable like Luke or reinstall the extension. I think I'll just keep an eye on them to make sure the extension does its job (like it almost always does!).