Email from Let's Encrypt about urgent revocation

rcampbell22
rcampbell22
Community Member

Hi,

I setup the SCIM bridge on Azure Kubernetes and this morning I got an email from Let's Encrypt as follows:


Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

REDACTED

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

https://community.letsencrypt.org/t/170449

Thank you,

The Let's Encrypt Team


-

When I downloaded the list of affected domains and matched to the account ID they included in the email, it was for our SCIM bridge domain.

Is there a way to renew the certificate automatically, or will the SCIM bridge stop working when they revoke the certificate on 28 Jan.

Thanks,
Richard


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @rcampbell22. Thanks for reaching out!

    Unfortunately the latest version of the SCIM bridge v2.3.0 (build 203004) will not be able to automatically renew the certificate. We have already applied a fix to the SCIM bridge to allow for auto-renewal in scenarios like this in future, but this fix will only be available in the next release of the SCIM bridge.

    For now you can force a renewal of the SCIM bridge by clearing the redis cache and restarting the SCIM bridge. The SCIM bridge caches the Lets Encrypt certificate in redis, and attempts to obtain a new certificate on startup when no certificate is available in the cache.

    Note before you continue to the steps below: The tradeoff is that you will also lose the SCIM bridge logs for the last 3 days. If you'd like to keep the logs you can log into the SCIM bridge status page by navigating to your SCIM bridge URL and entering your Bearer Token, and downloading the log files shown at the bottom of the status page.

    The steps to clear the redis cache and restart the SCIM bridge:
    1. Open a terminal where you have access to the Kubernetes command line interface (kubectl), and make sure you are connected to the cluster running your SCIM bridge
    2. Scale down the SCIM bridge instance in your cluster: kubectl scale --replicas=0 deployment/<scim-bridge-deployment-name>
    3. Scale down the redis instance in your cluster: kubectl scale --replicas=0 deployment/<redis-deployment-name>
    4. Wait a few seconds for the Kubernetes scheduler to remove the running redis and SCIM bridge instance
    5. Scale up the redis instance in your cluster: kubectl scale --replicas=1 deployment/<redis-deployment-name>
    6. Scale up the SCIM bridge instance in your cluster: kubectl scale --replicas=1 deployment/<scim-bridge-deployment-name>

    You may need to specify the namespace for your SCIM bridge and redis deployment. You can get the namespace for these by issuing the kubectl get deployment --all-namespaces command. You can then include the namespace in the above commands by adding the --namespace=<deployment-namespace> flag.

    The SCIM bridge will attempt to get a new certificate from Let's Encrypt when it starts up. You may experience a couple of minutes of downtime while you scale down/up the SCIM bridge and redis instances in your cluster. Feel free to pause provisioning in your identity provider while you perform the steps to force a certificate renewal.

    Please feel free to reach out to our support team via our support portal if you need specific guidance for your deployment.

  • rcampbell22
    rcampbell22
    Community Member

    That's great. It fixed the issue - albeit unfortunately it had already revoked by the time I saw this but no major impact! :) Good to know it will be resolved in next version.

    Thanks,
    Richard

  • Glad to hear it! Let us know if there's anything else we can assist you with.

This discussion has been closed.