Developers Let's Encrypt warnedthat today, March 4, 2020, they will be forced to withdraw 3,048,289 certificates. It's all about the error in the Boulder management software, which is used to check users and their domains before issuing certificates.
To understand the problem, you need to understand what the CAA (Certificate Authority Authorization) standard is. It was approved back in 2017 and allows domain owners to prohibit certification authorities for issuing certificates for their domains. In fact, domain owners can add a special CAA field (CAA field) in the DNS of their domain, and only the certification authority specified in this field can issue a certificate to the domain. All certification authorities (including Let's Encrypt) are required to follow the CAA, in accordance with the letter of the law, otherwise they will face serious fines.
February 29, 2020 became knownthat the error in the Boulder code related to the CAA implementation appeared in the summer of 2019 and sometimes forced him to ignore the CAA check.
“If the certificate request contained N domain names that required CAA re-verification, Boulder selected one domain name and checked it N times. In fact, if the subscriber validated the domain for time X, the CAA record for this domain allowed us to issue a Let's Encrypt certificate during X. But the subscriber was able to obtain a certificate containing this domain name for a period of X + 30 days, even if later on this domain the CAA record was set for the name, prohibiting the issuance of Let's Encrypt certificates, ”explains Let's Encrypt developers.
Last weekend, the bug was fixed, and now Boulder checks the CAA field correctly. Let's Encrypt engineers write that, according to their data, no one had time to abuse the problem. However, the certification authority is forced to revoke all certificates that were issued in violation of CAA audits in accordance with industry rules.
In fact, of all 116,000,000 currently active certificates, only 2.6% were affected by this problem. As mentioned above, these are 3,048,289 certificates. About a million of them are duplicates for the same domains and subdomains, that is, the actual number of certificates affected by the problem is approximately 2,000,000.
Let's Encrypt already notifies all victims by email. In addition, you can verify your certificates with special service or based on the serial numbers of the problem certificates (details are published on this special page)