How to force renew all Let's Encrypt cert?

G

glio

Verified User
Joined
Jan 8, 2008
Messages
93
I just got this mail

"We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:

community.letsencrypt.org

2020.02.29 CAA Rechecking Bug

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation...
community.letsencrypt.org community.letsencrypt.org

Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue."

so I want to know, How can I force renew all Let's Encrypt cert by 1 command and not do it 1 by 1 to renew all of my users cert?

Thanks
 
The following script should be able to renew all certificates. It is based on a DirectAdmin post: https://help.directadmin.com/item.php?id=2087

Bash: 
#!/bin/bash

TASK_QUEUE=/usr/local/directadmin/data/task.queue

cd /usr/local/directadmin/data/users

for i in */domains/*cert.creation_time; do

    DA_DOMAIN=$( echo $i | cut -f 3 -d / | cut -f 1,2 -d .)
    DA_USERNAME=$( echo $i | cut -f 1 -d / )
 
    echo "Adjusting Let's Encrypt certificate renew time for $DA_USERNAME with domain $DA_DOMAIN"
    echo 1577965621 > $i
    echo "Queueing renew of certificate to DirectAdmin for $DA_USERNAME"
    echo 'action=rewrite&value=letsencrypt&domain='"$DA_DOMAIN" >> $TASK_QUEUE

done

Edit: A > was missing in the last line in the for block. Thanks to marinh for pointing that out
 
Last edited:
Q: How do I know if I’m using an affected certificate?
A: Here is an online tool that will show you: https://unboundtest.com/caaproblem.html

community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org
 
Thanks!,

We found a small but important bug in your script. Please note the single > in your last echo. This has to be a double >> If not, the script will remove the domains it added before. and you'll endup with only a renewal of the very last domain. Here's the corrected version:

Bash: 
#!/bin/bash

TASK_QUEUE=/usr/local/directadmin/data/task.queue

cd /usr/local/directadmin/data/users

for i in */domains/*cert.creation_time; do

    DA_DOMAIN=$( echo $i | cut -f 3 -d / | cut -f 1,2 -d .)
    DA_USERNAME=$( echo $i | cut -f 1 -d / )

    echo "Adjusting Let's Encrypt certificate renew time for $DA_USERNAME with domain $DA_DOMAIN"
    echo 1577965621 > $i
    echo "Queueing renew of certificate to DirectAdmin for $DA_USERNAME"
    echo 'action=rewrite&value=letsencrypt&domain='"$DA_DOMAIN" >> $TASK_QUEUE

done
 
You must log in or register to reply here.
Back
Top