The Let’s Encrypt project has announced that it will revoke more than three million TLS certificates after a bug was discovered in its Certification Authority Authorization (CAA) code.
The bug impacts the server software used by Let’s Encrypt, called Boulder, which allows the project to verify users and their domains before a TLS certificate can be issued. Let’s Encrypt has decided to revoke the TLS certificates because the implementation of the CAA specification inside Boulder was affected by the bug.
CAA is a security standard that was approved back in 2017. It allows domain owners to prevent the organizations that issue TLS certificates, call
- Firefox rolls out encrypted DNS over HTTPS by default
- Fake VPN website delivers malware
- This WordPress vulnerability could let hackers hijack your entire site
By adding a “CAA field” to a domain’s DNS records, a domain owner can make it so that only the CA listed in the CAA field has the ability to issue a TLS certificate for their domain. Certificate Authorities, such as Let’s Encrypt, are required to follow the CAA specification exactly or they could risk facing penalties from browser makers.
Revoking TLS certificates
After becoming aware of the issue, Let’s Encrypt engineer Jacob Hoffman-Andrews disclosed the fact that a bug in Boulder had led the server software to ignore CAA checks in a forum post, saying:
“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”
The Let’s Encrypt project worked quickly to patch the bug over the weekend and Boulder is now able to verify CAA fields properly before issuing any new certificates. Thankfully, it is very unlikely that someone exploited the bug, according to the project.
As of today, the Let’s Encrypt project has revoked all of the certificates that were issued without proper CAA checks. Now all of the impacted certificates will trigger security errors in browsers until domain owners make a request for a new TLS certificate to replace the old one.