Let’s Encrypt bug in issuance of certificates
The certification authority, Let’s Encrypt, has reported a bug in its CAA (Certification Authority Authorization) code, specifically on Boulder, the CA (Certification Authority) software responsible for verifying CAA records while validating a subscriber’s control of a domain name.
The incident took place on 29th February and was fixed two hours later. Then, the company noticed it to its affected subscribers and decided revoke around 3 million of active TLS/SSL certificates, nearly a 2.6% of the total, as of 4th March.
A downloadable list has been supplied with serial affected numbers.
References:
- 29/02/2020 community.letsencrypt.org 2020.02.29 CAA Rechecking Bug
- 03/03/2020 community.letsencrypt.org Revoking certain certificates on March 4
- 03/03/2020 letsencrypt.org Download affected certificate serials for 2020.02.29 CAA Rechecking Incident
- 02/03/2020 unaaldia.hispasec.com Let’s Encrypt revocará millones de Certificados TLS por un fallo de seguridad
- 05/03/2020 threatpost.com Let’s Encrypt Pushes Back Deadline to Revoke Some TLS Certificates