Let’s Encrypt announced on Saturday, February 29 that it discovered a bug in its Certification Authority Authorization (CAA) code. Some certificates were revoked.
The software checks for CAA records at the same time as it validates a subscribers control of a domain name. After validation most subscribers immediately issue a certificate, but Let’s Encrypt considers a validation good for 30 days. The bug kept that time limit open and a certificate could be issued even if a CAA record prohibits it.
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
The bug was fixed on the same day and Let’s Encrypt is conducting a more thorough investigation. It was de termed that the bug was introduced into the system July 25, 2019.