Convopage
See the entire conversation
Correct, sites using Caddy v2.4.2 or newer should not have to take any action when automated certificates are revoked. Enjoy your sleep
Got an email from lets encrypt: [Urgent] Let's Encrypt revocations affecting your TLS certificates. I believe @caddyserver will have it covered?
18 replies and sub-replies as of Jan 27 2022
Caddy automatically staples OCSP for all relevant certificates. It will refresh the staple about halfway through its validity period. If the next status is Revoked, Caddy will replace the certificate right away.
(Can your other server do that?)
Can you please advise what steps must be taken for versions below v2.4.2? (besides the obvious "upgrade to the latest version" advice).
Thank you.
Delete the certificate from storage and reload Caddy.
But really... upgrade. 😉
When will this take place? I can’t see any certificates that have been rotated yet?
OCSP staples are usually valid for about 3-7 days. Caddy refreshes them about halfway, at which point it would notice the Revoked status and replace the cert. Give it 3-4 days at most.
Given we only have two days I guess a refresh of the service is required here to prevent revoked certs?
No. OCSP responses are usually good for about 4-7 days (depending on the CA).
Thanks (not very familiar with OCSP) - is it safe to assume all clients will use provided response and response and not request their own?
Hard to say. We have no control over how clients make trust decisions.
Probably not safe to assume anything with regards to security protocols. That said, it'd be dumb (and harmful) for clients to disregard/reject completely valid, fresh, verifiable, signed OCSP responses.
I suppose I’m slightly worried by middle boxes, but we’ll see what happens😀(and finally I understand a bit more about OCSP)
I think middle boxes are irrelevant for stapled OCSP responses 🤔
May not be thinking this through correctly - but considering a firewall or something which independently does it’s own OCSP lookup and then blocks access based on that (especially a corporate ssl interception thing)
I use caddy 1.0.4,I need to do something?
have some reason can not upgrade,how to do use caddy1.0.4
Caddy 1 isn't supported anymore, sorry.
ok,thanks