starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

try checking cert revocation status unconditionally #565

New Issue
Open
opened 2025-12-29 01:27:21 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:27:21 +01:00
Owner
Copy Link

Originally created by @bjacke on GitHub (Feb 1, 2022).

it happens from time to time, that CAs revoke certificates, like recently Letsencrypt: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/

Many people will not notice if their certificate got revoked. Dehydrated also doesn't notice that currently. That's bad, because that means that the user will have a revoked certificate installed until it actually grows old enough to get renewed by dehydrated.

I propose that dehydrated always tries to fetch the current OCSP status of current certificates and renews them if the OCSP reply indicates that the certificate was revoked.

Originally created by @bjacke on GitHub (Feb 1, 2022). it happens from time to time, that CAs revoke certificates, like recently Letsencrypt: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/ Many people will not notice if their certificate got revoked. Dehydrated also doesn't notice that currently. That's bad, because that means that the user will have a revoked certificate installed until it actually grows old enough to get renewed by dehydrated. I propose that dehydrated _always_ tries to fetch the current OCSP status of current certificates and renews them if the OCSP reply indicates that the certificate was revoked.
adam commented 2025-12-29 01:27:22 +01:00
Author
Owner
Copy Link

@alainwolf commented on GitHub (Feb 1, 2022):

At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.

From: noreply@letsencrypt.org
Date: Wed, 26 Jan 2022 06:49:08 +0000
Subject: [Urgent] Let's Encrypt revocations affecting your TLS certificates

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

1234567

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

https://community.letsencrypt.org/t/170449

Thank you,

The Let's Encrypt Team

@alainwolf commented on GitHub (Feb 1, 2022): At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs. From: noreply@letsencrypt.org Date: Wed, 26 Jan 2022 06:49:08 +0000 Subject: [Urgent] Let's Encrypt revocations affecting your TLS certificates > Hello, > > Please immediately renew your TLS certificate(s) that were issued from > Let's Encrypt using the TLS-ALPN-01 validation method and the following > ACME registration (account) ID(s): > > 1234567 > > We've determined that an error made it possible for TLS-ALPN-01 > challenges, completed before today, to not comply with certificate > issuance requirements. We have remediated this problem and will revoke > all unexpired certificates that used this validation method at 16:00 UTC > on 28 January 2022. Please renew your certificates now to ensure an > uninterrupted experience for your site visitors. > > We apologize for any inconvenience this may cause. If you need support > in the renewal process, please comment on our forum post. Our staff and > community members are available to help: > > https://community.letsencrypt.org/t/170449 > > Thank you, > > The Let's Encrypt Team
adam commented 2025-12-29 01:27:22 +01:00
Author
Owner
Copy Link

@bjacke commented on GitHub (Feb 2, 2022):

At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs.
yes but even for LE a contact mail address is optional. And of course manual interaction to get such a situation fixed is not ideal, too.

@bjacke commented on GitHub (Feb 2, 2022): > At least Let's encrypt notifies you (if possible also in advance) in case one of your certificates get revoked. I don't know about other CAs. yes but even for LE a contact mail address is optional. And of course manual interaction to get such a situation fixed is not ideal, too.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#565
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?