[UPDATED] Some CNAME certificates will be revoked
Incident Report for Cloudinary
Resolved
This incident has been resolved.
Posted Mar 06, 2020 - 16:36 EST
Update
We are continuing to monitor for any further issues. At this time, approximately 70% of the affected hostname's certificates have been renewed. The rest will not be revoked until recycled, according to the latest announcement by Let's Encrypt: https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/3

We will mark this incident as resolved once we have every certificate recycled. There is currently no known impact to the system, we thank you for your patience and understanding during the past 24+ hours.
Posted Mar 05, 2020 - 00:29 EST
Update
We've moved most of the affected hostnames to an alternative CDN vendor and CA. We're continuing to monitor and we're seeing the certificates of approximately a third of the hostnames were already refreshed. We'll continue to update as the situation progresses. Please don't hesitate to contact us if you'd like us to check your specific hostname.
Posted Mar 04, 2020 - 20:10 EST
Update
As a preemptive measure in case LetsEncrypt starts revoking the affected certificates before the renewal is completed, we are making changes to move some of the affected certificates to a different CDN vendor. Please contact support team at https://support.cloudinary.com/hc/en-us/requests/new if you are running into delivery issue.
Posted Mar 04, 2020 - 14:22 EST
Update
We have received an update from Let's Encrypt CA that they are planning to begin revocation of the affected certificates on March 4th 04 20:00 UTC (approx. 14 hours from this update). Certificate renewals for the affected certificates are underway and are expected to complete until then, so service should continue uninterrupted.
As a precaution, we have enabled the affected CNAMEs on an alternative CDN & CA, to be shifted over if renewals do not complete until revocation begins in 14 hours.
We do encourage you to temporarily shift to deliver images and videos on res.cloudinary.com/[cloudname] or [cloudname]-res.cloudinary.com if your app permits so, please contact support@cloudinary.com if you have any specific questions.
Our team is closely monitoring the situation and will update this incident as new updates become available.
Posted Mar 04, 2020 - 01:11 EST
Update
We are continuing to monitor for any further issues.
Posted Mar 04, 2020 - 00:40 EST
Monitoring
Letsencrypt has not started revoking the affected certificates and they are still active. We keep on monitoring the progress on this. In the meantime, our affected certificates are still in the process for renewals.
Posted Mar 03, 2020 - 20:08 EST
Identified
Due to a critical security issue that was identified on the LetsEncrypt CA, some of our Custom CNAMEs certificates are affected and potentially will be revoked on March 4th starting 00:00 UTC (in less than one hour). To check if your hostname is affected, please visit: https://checkhost.unboundtest.com/

The affected certificates are in the process of being renewed by the CDN, and we are tracking progress.
Customers whose domain is affected and can switch to serving their traffic from res.cloudinary.com or [cloudname]-res.cloudinary.com instead of their affected custom CNAME, are encouraged to do so before 00:00 UTC March 4th. Please contact support@cloudinary.com for assistance. As we expect high ticket load, please validate that your domain is affected, using the link above, before contacting us.

We understand this is a last-minute notification. Being a global internet security event, affecting over 3 million certificates, we will update on this issue as it unfolds and our global engineering team is on high alert to help avoid any downtime.

For more information on the Letsencrypt issue, please visit https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5e5e9b5b144d9304c0e602c7
Posted Mar 03, 2020 - 18:12 EST
This incident affected: Image CDN Delivery.