Textpattern CMS support forum
- From: England
- Registered: 2006-01-27
- Posts: 452
Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
I just came across the following today regarding Lets Encrypt certificates:
On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug.
According to Let’s Encrypt
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
- From: People's Republic of Cornwall
- Registered: 2005-11-19
- Posts: 2,783
Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning
For completeness, I’ve checked all the Textpattern sites, we’re not affected.
That said, since the LE rate limit has been temporarily upped, I’ve force-renewed all our certs without issue. I’ve never had to force-renew any LE certs, so it was a useful contingency/emergency exercise.