My Profile Photo

Bencey's Blog


Informing the world about the application of Technology.
If you are looking for Tier III Technologies click the button below


Post: Let's Encrypt to revoke certain certificates on March 4

Today Lets encrypt has announced to its customers that they have discovered a bug with some of their certificates and they are revoking these certificates on the 4th March (Tommorow as of writing this post).

Below is the Bug in question

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.

Our preliminary investigation suggests the bug was introduced on 2019-07-25. We will conduct a more detailed investigation and provide a postmortem when it is complete.

If you are unsure if you are effected by this you are able to use their online tool to determine if you need to recreate your certs. You can access the tool Here

The certificate revocations will begin from 00:00 UTC on March 4 which is less than 8 hours away. End users don’t have to worry too much about this, however, you may see security warnings on websites that have failed to renew their certificates.


Well that’s about it for this blog post. As always if you enjoy my content you can support me by becoming a patreon Here This allows me to make blogging a full-time job and gives me more time to blog as I do not need to get a part-time job. When you become a patreon you unlock perks such as premium support, Custom roles in the discord, Access to bot code and much more. I would highly suggest checking it out.