Let’s Encrypt discovers CAA bug

Let’s Encrypt discovers CAA bug, must revoke customer certificates

Back to News
Let’s Encrypt

Share this post

Let’s Encrypt discovers CAA bug

News , 0 Comments 10

Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it.

As a result, Let’s encrypt is taking security and safety first rather than convenience and it’s going to revoke any currently issued certificate as it can’t be certain which ones are legitimate, the following announcement was made

Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you’re not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate.

Let’s Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let’s Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let’s Encrypt typically considers domain validation results good for 30 days from the time of validation—but CAA records specifically must be checked no more than eight hours prior to certificate issuance.

P.S. If you need an alternative solution you can always order one of our COMODO SSL’s, GOZEN HOST manage to get the best prices for all of you!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to News

Related Posts

cPanel - WHM

cPanel/WHM Price increase!

With hardware updates and increase of performance cPanel Ιnc, most probably want's to drive the way each business runs in... read more

Black Friday - 2020

Black Friday 2020 is here!

Ready to upgrade your business web presence? Black Friday is around the corner and here at GoZEN Host, we try our... read more

seo

How to remove Article ID from Joomla

Even though instructions apply to Joomla 2.5.x also we are going to deal mainly with Joomla 3.x as this is... read more

vulnerability

Vulnerability affects multiple Linux kernels

Major vulnerability affects multiple Linux kernels— CVE-2019-8912 (af_alg_release()) A major security vulnerability has been found within *many* versions of the Linux... read more

malware-detect-software

How to install maldet in DirectAdmin Server

Maldet (Linux Malware Detect) is a free and open-source malware scanner designed to detect malicious software on Linux systems. It... read more

WordPress tips

.htaccess and WordPress tips

Most of you probably already know quite a few things about .htaccess file and what you can or can't do... read more

openvpn

How to Install OpenVPN AS

To install OpenVPN AS software in CentOS / Debian operating systems, perform the steps below Update your VPS (more…) read more

Email Security

Why it’s important to keep everything updated

Let's be honest, there's no such thing as 100% secure environment and since we are on the Internet, security is... read more