Let's Encrypt Discovers CAA Bug, Should Revoke Buyer Certificates

Let's Encrypt Discovers CAA Bug, Must Revoke Customer Certificates

rufey writes: The free SSL certificates supplier Let’s Encrypt goes to revoke 2.6% of the SSL certs issued by them which are presently lively, because of a bug in boulder, the Certificates Authority Authorization (CAA) software program Let’s Encrypt makes use of. Ars Technica studies: “Let’s Encrypt makes use of Certificates Authority software program known as Boulder. Usually, a Internet server that providers many separate domains and makes use of Let’s Encrypt to safe them receives a single LE certificates that covers all domains utilized by the server reasonably than a separate cert for every particular person area. The bug LE found is that, reasonably than checking every area title individually for legitimate CAA information authorizing that area to be renewed by that server, Boulder would test a single one of many domains on that server n occasions (the place n is the variety of LE-serviced domains on that server). Let’s Encrypt usually considers area validation outcomes good for 30 days from the time of validation — however CAA information particularly should be checked not more than eight hours previous to certificates issuance. The upshot is {that a} 30-day window is offered by which certificates could be issued to a selected Internet server by Let’s Encrypt regardless of the presence of CAA information in DNS that will prohibit that issuance.

Since Let’s Encrypt finds itself within the unenviable place of probably having issued certificates that it shouldn’t have, it’s revoking all present certificates that may not have had correct CAA document checking on Wednesday, March 4. Customers whose certificates are scheduled to be revoked might want to manually force-renewal earlier than then. If an admin doesn’t carry out this handbook renewal step, browsers reaching their web sites will present TLS safety warnings because of the revoked certificates. Let’s Encrypt certificates are issued for 90-day intervals, and Certbot mechanically renews them solely when 30 days or much less are left on the cert — so this might imply roughly two months of browser errors if the handbook compelled renewal is not carried out.”
The CAB Discussion board, which oversees the general public CAA area, has a ticket for this particular subject. In line with a neighborhood put up on Let’s Encrypt’s web site, 3,048,289 of the ~116 million general lively Let’s Encrypt certificates are affected.

Learn extra of this story at Slashdot.