Issuing New Certificates to Address Let's Encrypt CAA Rechecking Bug
Today Let's Encrypt announced that they would revoke a batch of certificates issued due to a bug in their CAA code. Let's Encrypt provided a list of all certificates impacted. After comparing this list to the Let's Encrypt certificates requested by DNSimple, we have found a small number of certificates that were issued to our customers that will be revoked.
We are addressing this issue by taking the following steps:
- We will automatically request a new Let's Encrypt certificate for each affected certificate that Let's Encrypt will revoke and that was issued after January 1st, 2020.
- We are publishing this blog post and will post to social media as well.
- We will email the accounts that have certificates affected by this revocation with a list of impacted fully-qualified certificate names.
If you use our HTTPS redirector for URL forwarding then you will not need to take any action, our system will automatically handle the distribution of the new certificates and start using the new certificate as soon as it is issued. The revoked certificate will be ignored.
If you use one of the impacted Let's Encrypt certificates on servers you operate, then you will need to install the new certificate bundle once the certificate is issued. You will find the new certificate in your account. If you listen to our webhooks, we will be sending a
certificate.issue with the new certificate once available in your account for download.
If you have any questions, please contact us and we will be happy to help.
I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.
We think domain management should be easy.
That's why we continue building DNSimple.
Elapsed time with Ruby, the right way
Elapsed time calculations based on Time.now are wrong. Learn why they are wrong and how to fix them.
Introducing Domain Access Control
Use DNSimple's Domain Access Control to limit what each member can access on a per-domain or per-zone basis.