{"id":18834022,"url":"https://github.com/jetstack/letsencrypt-caa-bug-checker","last_synced_at":"2025-04-14T04:32:15.832Z","repository":{"id":57515926,"uuid":"244946849","full_name":"jetstack/letsencrypt-caa-bug-checker","owner":"jetstack","description":"Tool to check your Kubernetes cluster for certificates affected by Let's Encrypt's CAA rechecking bug","archived":false,"fork":false,"pushed_at":"2020-03-04T17:19:38.000Z","size":34,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-27T18:55:16.552Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-04T16:17:46.000Z","updated_at":"2024-01-23T07:47:23.000Z","dependencies_parsed_at":"2022-08-28T17:34:23.187Z","dependency_job_id":null,"html_url":"https://github.com/jetstack/letsencrypt-caa-bug-checker","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fletsencrypt-caa-bug-checker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fletsencrypt-caa-bug-checker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fletsencrypt-caa-bug-checker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fletsencrypt-caa-bug-checker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/letsencrypt-caa-bug-checker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248821911,"owners_count":21166979,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:06:21.919Z","updated_at":"2025-04-14T04:32:11.872Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# letsencrypt-caa-bug-checker\n\nThis tool will check all cert-manager Certificate resources installed in your\ncluster to ensure they are not affected by the\n[Let's Encrypt CAA Rechecking Bug](https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864).\n\nIt will:\n\n1) Query your Kubernetes cluster for all Certificate resources\n2) Find all Secret resources managed by Certificate resources\n3) Check the serial number of each certificate against the publicly available\n   list of serial numbers that will be revoked\n4) Trigger cert-manager to renew any certificates that are affected by the bug\n\n## Pre-requisites\n\nThis tool only works with **cert-manager v0.11 onwards**, as it depends on the\nv1alpha2 API. If you are running an older version of cert-manager, please\nupgrade by following the [upgrade guide](https://cert-manager.io/docs/installation/upgrading/).\n\nYour Kubernetes user account will need the following permissions:\n\n* Certificate resources (`cert-manager.io/v1alpha2`): LIST\n* CertificateRequest resources (`cert-manager.io/v1alpha2`): LIST, DELETE\n* Secret resources (`core/v1`): LIST, UPDATE\n\n### Fetching the list of revoked serials\n\nThis tool requires a copy of the full list of serial numbers that Let's Encrypt\nhave notified for revocation.\n\nUse the snippet below to download and extract the file. Decompressed, the file\nis approximately 1.2GB, so please ensure you have sufficient free space for\nextraction.\n\n```shell\nwget -c https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz\nzcat \u003c caa-rechecking-incident-affected-serials.txt.gz \u003e serials.txt\n```\n\nThis snippet is based on the script in the [prepare-lecaa](https://github.com/hannob/lecaa/blob/master/prepare-lecaa)\nfile in the [hannob/lecaa](https://github.com/hannob/lecaa) repository, with\nminor modifications.\n\n## Checking for affected certificates\n\nFirst, download or build a copy of the `letsencrypt-caa-bug-checker` tool from\nthis GitHub repository.\n\nFirst, perform a check of all the Certificates in your cluster to see if any\nare affected:\n\n```shell\n./letsencrypt-caa-bug-checker --affected-serials-file serials.txt\n```\n\nYou should see the tool check all resources in your cluster, and after a few\nseconds it should print something like:\n\n```shell\n...\n2020/03/04 16:13:06 +++ Checking Secret resource for Certificate example/demo-prod\n2020/03/04 16:13:13 Finished analyzing certificates, results:\n2020/03/04 16:13:13   Skipped/unable to check: 0\n2020/03/04 16:13:13   Unaffected certificates: 16\n2020/03/04 16:13:13   Affected certificates: 3\n```\n\nBy default, the tool will NOT automatically trigger renewals, and will ONLY\nprint out analysis information.\n\n## Triggering a renewal\n\nTo actually trigger a renewal of these affected certificates, you must add the\n`--renew` flag to your command invocation:\n\n```shell\n./letsencrypt-caa-bug-checker --affected-serials-file serials.txt --renew\n```\n\nA number of warnings will be printed, giving you the opportunity to cancel in\ncase you have accidentally invoked the command incorrectly.\n\nThe tool will now go through and manually trigger a renewal for each affected\nCertificate resource.\n\nIt does this by changing the `cert-manager.io/issuer-name` annotation on the\nSecret resource for each certificate, causing cert-manager to re-request a\nnew certificate.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fletsencrypt-caa-bug-checker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fletsencrypt-caa-bug-checker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fletsencrypt-caa-bug-checker/lists"}