1. 43
  1. 10

    I am glad that Let’s Encrypt is so open. That sort of governance behavior is very, very welcomed. I’m interested in any details the postmortem may shine light on, though this is probably a simple: we introduced a bug, we had to revoke X certs, patched bug. Maybe they’ll add detail on how they plan mitigate issues via subtle bugs sooner?

    1. 5

      Found this linked on HN, which I think includes the detail you’re looking for: https://bugzilla.mozilla.org/show_bug.cgi?id=1619047#c1

      1. 3

        If the bureaucratic machinations of CAs and browsers or arcane ASN.1 parsing conversations interest you - they do me! - check the mozilla.dev.security.policy newsgroup. It tends to be the first place where things like this are publicly discussed.

    2. 5

      For those that want to check their own cert quickly: Check whether a host’s certificate needs replacement

      1. 6

        They actually sent me an email this (US) morning notifying me that one of my certs was affected. It was great. Would have been even better if they said which cert it was, so I didn’t have to go renew all certs on all of my systems. Oh well.

        1. 8

          Email I got did include list of certificates with their serial numbers.

      2. 2

        My email actually went to spam in Gmail, surprisingly. Luckily for me, a coworker mentioned it.

        Has anyone else had LetsEncrypt emails go to spam? Usually they don’t, but this (probably the most important one I’ve received) did.

        1. 2

          Maybe Gmail changed something, because since only a few days ago, Sentry mail has also ended up in spam for me.

          1. 6

            Consider this a reminder that Gmail cannot be considered a reliable email service that will actually deliver legitimate mail to your inbox, as anyone who’s tried to run a small-scale independent mail server following all the common best practices in the past decade would know.

            1. 2

              People say this frequently, but it hasn’t really been my experience. Of all the third-party or company-managed email services I’ve used, Gmail has been the best by far in terms of spam going to spam and everything else going to the inbox. That’s why this mis-categorization as spam was such a surprise to me. It’s pretty rare. I suppose different people have different patterns in the sorts of emails they receive, though.

              1. 1

                Your experience has been generally as positive as you describe merely because the vast majority of origins of legitimate email are run by massive megacorporations. It would be vastly different if you were on the other side, trying to run your own email service, and getting falsely flagged on almost every single message that you try to send to someone. By definition, since this affects small-scale servers, from your point of view as a gmail user, the percentage of these false positives in your incoming mail will be tiny.

                And in my personal experience, gmail is the worst in this regard – other services tend to at least have the decency to reject messages in a false positive scenario; gmail just swallows everything up and buries it in the spam box that almost nobody ever looks at.

        2. 2

          Quite inconvenient that it has to be so short notice, but I understand these are the rules for all CAs (baseline requirements).

          It’s fortunate that the solution is somewhat automated :)