{"id":13478,"date":"2020-03-03T22:44:26","date_gmt":"2020-03-03T21:44:26","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13478"},"modified":"2024-10-05T20:54:05","modified_gmt":"2024-10-05T18:54:05","slug":"ouch-lets-encrypt-withdraws-3-million-certificates","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/03\/03\/ouch-lets-encrypt-withdraws-3-million-certificates\/","title":{"rendered":"Ouch: Let's encrypt withdraws 3 million certificates"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[German]A brief message at the end of the day here in German: Let's encrypt had found a bug in the process of issuing certificates. So they now have to withdraw 3 million issued TLS certificates. <\/p>\n<p><!--more--><\/p>\n<h2>Reaching for the stars: One billion certificates issued<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg08.met.vgwort.de\/na\/c9a16a61f457475685a620586f3bb7b2\" width=\"1\" height=\"1\">I had already noticed it a few days ago, Let's encrypt issued 1 billion TSL certificates. I deliberately didn't have it in my blog &#8211; but it was briefly <a href=\"https:\/\/www.borncity.com\/blog\/2018\/08\/07\/lets-encrypt-root-zertifikat-von-wichtigen-akteuren-anerkannt\/#comment-86184\" target=\"_blank\" rel=\"noopener noreferrer\">discussed here<\/a> today in German blog reader Ralf's comment. The article of the Let's Encrypt makers is available <a href=\"https:\/\/letsencrypt.org\/2020\/02\/27\/one-billion-certs.html\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. <\/p>\n<p>Grandiose success, and we can only congratulate. I also started with the free Let's Encrypt TLS certificates here in the blog, but since last year I have a paid certificate that lasts for 12 months. <\/p>\n<h2>3 million certificates invalid<\/h2>\n<p>The above success story is the reach for the stars. But now back to the lowlands of practice. I just read in Golem that Let's Encrypt has to revoke 3 million TLS certificates due to a mistake. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"de\" dir=\"ltr\">TLS: Let's Encrypt muss drei Millionen Zertifikate zur\u00fcckziehen <a href=\"https:\/\/twitter.com\/hashtag\/letsencrypt?src=hash&amp;ref_src=twsrc%5Etfw\">#letsencrypt<\/a> <a href=\"https:\/\/t.co\/tFNwhGKp5d\">https:\/\/t.co\/tFNwhGKp5d<\/a><\/p>\n<p>\u2014 Golem.de (@golem) <a href=\"https:\/\/twitter.com\/golem\/status\/1234835206105903105?ref_src=twsrc%5Etfw\">March 3, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve02ab8c168d3747d983b606b6de0e406f\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>The error causes that the check of the CAA DNS records can not be performed correctly. The details are disclosed in the <a href=\"https:\/\/community.letsencrypt.org\/t\/2020-02-29-caa-rechecking-bug\/114591\" target=\"_blank\" rel=\"noopener noreferrer\">Let's Encrypt community<\/a>:<\/p>\n<blockquote>\n<p>On 2020-02-29 UTC, Let's Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber's control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs \u00a73.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.  <\/p>\n<p>The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt.  <\/p>\n<p>We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.  <\/p>\n<p>Our preliminary investigation suggests the bug was introduced on 2019-07-25. We will conduct a more detailed investigation and provide a postmortem when it is complete.<\/p>\n<\/blockquote>\n<p>In brief: The verification of CAA DNS records is not properly checked during certificate issuance. This makes it possible to issue a certificate for a domain with a validity of up to x+30 days, even if someone later installs CAA records for this domain name that prohibit issuance by Let's Encrypt. The bug exists since July 25, 2019.  <\/p>\n<p>Affected users have been informed by mail and must now have a new certificate issued immediately. On the website here, the URL of a website to be checked can be entered. Then it will be checked whether they are affected by the withdrawn certificates.&nbsp; <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I guess some people will find this helpful <a href=\"https:\/\/t.co\/GEzdrRUX4z\">https:\/\/t.co\/GEzdrRUX4z<\/a> quick and dirty script to check if you need to replace <a href=\"https:\/\/twitter.com\/letsencrypt?ref_src=twsrc%5Etfw\">@letsencrypt<\/a> cert on a host due to CAA issue<\/p>\n<p>\u2014 hanno (@hanno) <a href=\"https:\/\/twitter.com\/hanno\/status\/1234847100623519744?ref_src=twsrc%5Etfw\">March 3, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve879b54ea46da49f3bad4234e6c62fb15\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Hanno B\u00f6ck has published a small script on GitHub that checks if you need to renew your certificate. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A brief message at the end of the day here in German: Let's encrypt had found a bug in the process of issuing certificates. So they now have to withdraw 3 million issued TLS certificates.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-13478","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13478"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13478\/revisions"}],"predecessor-version":[{"id":35779,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13478\/revisions\/35779"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}