Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-03-04 11:44:07

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 454

Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning

I just came across the following today regarding Lets Encrypt certificates:

On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug.

According to Let’s Encrypt
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

Wordfence blog.

Offline

#2 2020-03-04 12:04:16

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,017
Website

Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning

I was on my way to mention the same issue. Here [Ars Technica] is another write-up.

A tool that helps verify if your certs are affected.

Last edited by phiw13 (2020-03-04 12:05:25)


Where is that emoji for a solar powered submarine when you need it ?

Offline

#3 2020-03-04 17:46:29

gaekwad
Admin
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 2,997

Re: Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warning

For completeness, I’ve checked all the Textpattern sites, we’re not affected.

That said, since the LE rate limit has been temporarily upped, I’ve force-renewed all our certs without issue. I’ve never had to force-renew any LE certs, so it was a useful contingency/emergency exercise.

Offline

Board footer

Powered by FluxBB