Let’s Encrypt Revokes Certificates After Finding a Bug

Alert symbol of an exclamation point inside triangle

Let’s Encrypt announced on Saturday, February 29 that it discovered a bug in its Certification Authority Authorization (CAA) code. Some certificates were revoked.

CAA Bug

The software checks for CAA records at the same time as it validates a subscribers control of a domain name. After validation most subscribers immediately issue a certificate, but Let’s Encrypt considers a validation good for 30 days. The bug kept that time limit open and a certificate could be issued even if a CAA record prohibits it.

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

The bug was fixed on the same day and Let’s Encrypt is conducting a more thorough investigation. It was de termed that the bug was introduced into the system July 25, 2019.

Further Reading

[Coronavirus Causing Shortages of Key Apple Products]

[Atari’s Missile Command Heads to iOS This Spring]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.