Let's Encrypt found a bug in its Certificate Authority (CAA) code, if the customer does not force an update certificate, it must revoke millions of certificates.
Any failure to update the certificate of the site will display a security warning visitors until the problem is corrected. Although there is no specific mention of the site, but involving as many as three million certificates, some well-known sites may be affected.
The error means that there is a problem in checking Let's Encrypt the subscriber has a valid security certificate for all its domains. In just two hours after the discovery of bug, we launched a fix, but need to update the certificate in order to have any effect.
Let's Encrypt released about a bug found in the security warning :
In 2020-02-29 UTC, let's encryption found a mistake in our CAA code. Our Boulder CA software to authenticate users in control of the domain name at the same time, check the CAA records. Most subscribers after the domain control validation certificate issued immediately, but we believe that verification is valid for 30 days. This means that, in some cases, we need to check again before CAA record release. Specifically, we must check the CAA in 8 hours before the release (according to BRs§3.2.2.8), so any validated in eight hours before the domain name needs to re-examine.
:: defective when the certificate request contains N domain names need to re-examine the CAA, Boulder will choose a domain name and its N inspections. In practice, this means that if the subscriber is verified at X time a domain name, and CAA at X time was recorded this domain name, it allows us to encrypt issue, the subscriber will be able to issue a certificate that contains the domain name, until X + 30 day, even if later it was installed by Let's Encrypt ban issued by CAA recorded on the domain.
We confirmed the bug in 2020-02-29 03:08 UTC, and ceased publication at 03:10. We are the world standard time 05:22 deploy the hotfix, and then re-enable the publishing features.
Our preliminary investigations revealed that the error in 2019-- introduced 25 years - 07. We will conduct a more detailed investigation, and provide post-hoc analysis upon completion.
In another article in, Let's Encrypt details were affecting the enjoyment of the serial number, and provide a link to the host name checking utility for anyone to check their fields may be attacked. .