back to article Let's Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let's take time out

Let's Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three …

  1. David 132 Silver badge
    Facepalm

    Sheesh.

    The words "piss-up" and "brewery" come to mind.

    1. Psmo Silver badge
      Thumb Up

      Re: Sheesh.

      Strange. The words "honesty"and "bravo" come to mine.

  2. HildyJ Silver badge
    Angel

    Alternative universe?

    A tech company flat out admitting it was wrong without any weasel words and then changing its plans? What's happening to the world?

    I applaud Let's Encrypt for recognizing the problem in the first place and trying to fix it. I applaud them again for pulling back from their initial solution.

    1. Tom 38 Silver badge

      Re: Alternative universe?

      Not really a company, it doesn't sell anything and is a non profit run by ISRG for the betterment of the internet, relying on sponsors for income.

    2. JohnFen Silver badge

      Re: Alternative universe?

      Yes, I applaud them for both of things things! Great job, LE!

      But I still remain happy not to be a LE user. (To be clear, I'm not saying that people shouldn't use LE -- only that for some people such as myself, the cost/benefit of using them is not favorable, and this sort of thing doesn't help that.)

      1. JohnFen Silver badge

        Re: Alternative universe?

        Downvotes for complimenting Let's Encrypt? This place can be very strange.

    3. Nageki

      Re: Alternative universe?

      It's only possible because money is not involved, that's all.

  3. gerdesj Silver badge
    Mushroom

    I got the warning at 1300 on Wed

    ... and was told my certs would be invalid on Thurs. The email did tell me exactly which ones would be revoked and gave me a hint on how to use certbot to force an update.

    Now, I have a quite scary combination of HA Proxy fronted sites so for example you go to http://example.co.uk or www. or whatever and end up at https://example.co.uk which is hosted on an Apache job. /owa /autodiscover etc all end up coming from an Exchange server, /wiki from a Mediawiki. It goes on ... /icinga /kb and more. All of those can also be got at via hostname instead of www as well. Some bits need Kerb auth and some via forms. Attempting to hammer at the login form for eg OWA ends up visiting a fake form that does nothing, rather slowly. Getting that lot to work was quite traumatic. One tricky bit was getting http to redirect to https correctly whilst still allowing /.wellknown through for the relevant box or the front end. HSTS adds a certain excitement to testing.

    lol

    Then you have to try and get that lot to move quicker than it is designed to do.

    rofl

  4. Anonymous Coward
    Anonymous Coward

    I suspect the about face was in response to sponsors threatening to pull donations and take their needs elsewhere. You want to find the truth in anything, just follow the coins.

  5. Robert Moore
    Pint

    Was probably always the plan.

    Tell people their cert will get revoked. Lots get fixed right away.

    Lessons the risk, while not breaking things too badly.

    Overall not a bad plan. If that is what it was.

    1. JohnFen Silver badge

      Re: Was probably always the plan.

      > Overall not a bad plan. If that is what it was.

      I don't think that was a plan, but if it was then it's a terrible one because it is effectively trading away the ability to trust what LE says. Correcting a bad initial call increases trust. Lying to manipulate people into action decreases it.

    2. TeeCee Gold badge
      Headmaster

      Re: Was probably always the plan.

      Lessons the risk...

      Lessons the spelling, learned were not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021