You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many people will not notice if their certificate got revoked. Dehydrated also doesn't notice that currently. That's bad, because that means that the user will have a revoked certificate installed until it actually grows old enough to get renewed by dehydrated.
I propose that dehydrated always tries to fetch the current OCSP status of current certificates and renews them if the OCSP reply indicates that the certificate was revoked.
The text was updated successfully, but these errors were encountered:
At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.
From: [email protected]
Date: Wed, 26 Jan 2022 06:49:08 +0000
Subject: [Urgent] Let's Encrypt revocations affecting your TLS certificates
Hello,
Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):
1234567
We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.
We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:
At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.
yes but even for LE a contact mail address is optional. And of course manual interaction to get such a situation fixed is not ideal, too.
it happens from time to time, that CAs revoke certificates, like recently Letsencrypt: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/
Many people will not notice if their certificate got revoked. Dehydrated also doesn't notice that currently. That's bad, because that means that the user will have a revoked certificate installed until it actually grows old enough to get renewed by dehydrated.
I propose that dehydrated always tries to fetch the current OCSP status of current certificates and renews them if the OCSP reply indicates that the certificate was revoked.
The text was updated successfully, but these errors were encountered: