Let's Encrypt announces that `` revoke a specific server certificate due to a bug '', 2.6% of the whole is affected


by

Sean MacEntee

A certificate authority `` Let's Encrypt ' ' that issues server certificates required for HTTPS communication free of charge issued a certificate considered to be affected by the bug in 2020, because the certificate could not be issued safely due to a software bug It has been announced that it will expire on Wednesday, March 4.

2020.02.29 CAA Rechecking Bug-Incidents-Let's Encrypt Community Support
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Revoking certain certificates on March 4-help-let's encrypt community support
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864


This bug was found in Boulder , the server software that Let's Encrypt uses to validate users and their domains before issuing server certificates.

In 2017, an industry standard was set to verify CAA (Certificate Authority Authorization) records before issuing a new server certificate to prevent the issuance of HTTPS certificates. The CAA record is a certification authority code added to the DNS record by the domain owner, so that only the certification authority set in the CAA record can issue the server certificate of the domain, and the server certificate can be used by a third party without permission. Prevent issuance. It was Boulder's role to verify this DNS / CAA record.

However, according to a post posted by Let's Encrypt engineer Jacob Hoffman-Andrews on Saturday, February 29, 2020, `` N domain names that require a re-check of the certificate authority are CAA records. Boulder would check a domain name N times if it was set to '.' This bug could cause Let's Encrypt to issue a certificate within 30 days of the last issue of the certificate by Let's Encrypt, even if the issuing of the certificate by Let's Encrypt was prohibited by the CAA record. Says Hoffman-Andrews.



Let's Encrypt fixed this bug with two hours of maintenance on February 29, 2020. While it is very unlikely that anyone has exploited this bug, Let's Encrypt has announced that it will revoke all certificates affected by this bug according to industry rules.

According to Let's Encrypt, out of the 116 million certificates issued by Let's Encrypt as of February 29, 2020, the bug was affected by 3,048,289, or 2.6% of the total. . The revocation of the relevant certificate is scheduled for March 4, 2020 (Wednesday), and it has been announced that the revocation will be completed by March 12, 2020 JST.

The serial numbers of the affected certificates are published on the following pages.

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident-Let's Encrypt-Free SSL / TLS Certificates
https://letsencrypt.org/caaproblem/


in Software,   Web Service, Posted by log1i_yk