Hacker News new | past | comments | ask | show | jobs | submit login

If like me you have several hundred certificates to check, please do something like this:

cd somewhere-nice

wget https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident... gunzip caa-rechecking-incident-affected-serials.txt.gz

for i in $(cat domains); do (openssl s_client -connect $i:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d : | tail -n1) |tee serials/$i; done

cat serials/* | tr -d " " | sort | uniq > serials.collate

grep $( cat serials.collated | head -c-1 | tr "\n" "|" | sed -e 's/|/\\|/g' ) ../caa-rechecking-incident-affected-serials.txt

It will take a moment and then it may tell you that letsencrypt misspoke when they said they sent emails to everyone whose contact details they have.




I thought I was in the minority there! We have 45 certificates (of many more) that were affected, and our account id was listed, and it has an email contact associated. I got no email whatsoever, but I'm glad I had the foresight to check anyway.


I just noticed I got an email at 1949 UTC. I guess they're still sending them out. Presumably some people will receive their emails after the revocation.


I spoke to someone from the team, they’ve got another 10% to go (presumably much less now). I finally got mine as well, and they’re still coordinating to figure out the timeline to revoke. Presumably they’ll wait for the emails first.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: