Let’s Encrypt bug in CAA – How do we tackle this?
Oops!! Let’s Encrypt is revoking 3 Million Certificates due to a bug in CAA check!
On February 29, 2020, the free SSL provider had to do this due to a bug in their certificate generating process.
At Bobcares, we frequently deal with Let’s Encrypt queries, as a part of our Server Management Services.
Today, let’s see how our Support Engineers helped our customers to handle this LetsEncrypt bug.
What are Let’s Encrypt and CAA?
Let’s Encrypt is an open certificate authority and its runs for free.
They provide digital certificates to the people for securing websites. In other words, it enables the HTTPS(SSL/TLS) on their website links.
Next comes CAA, the Certificate Authority Authorization.
It is a type of DNS record that allows the site owners to specify which all Certificate Authorities are allowed to issue certificates containing their domain names.
More about the Let’s Encrypt bug
It’s time now to see the details of the bug.
Before issuing a TLS certificate, Let’s Encrypt verify its users and domains using a Certificate Authority software called Boulder.
And the bug manly impacted the CAA specification implementation inside Boulder. As per the bug, there was a flaw in the CAA validation. As a result, a user that validated his domain for CAA records could install a certificate within the next 30 days despite the changes in DNS.
And this commonly affected the very frequently reissued certificates.
Fortunately, the team patched the bug in a short time. And, the Boulder is now verifying CAA fields properly before issuing the new certificates. Also, they decided to revoke the impacted certificates by March 4th.
Am I using an affected certificate?
That raises the question, Is my website having a broken certificate?
We are getting many requests to renew Let’s Encrypt certificates as the authority revoked 3 Million Certificates on March 4th, 2020.
Let’s now see how to check the website certificate’s validity.
So, our Engineers first check the affected certificate using an online tool:
And, on a Linux system, we use the command that shows example.com‘s current certificate serial number:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Then, we check whether this serial number is listed in https://letsencrypt.org/caaproblem/
And, we inform our affected customers and renew their certificates. Otherwise, the site shows a security warning.
How we fix Let’s Encrypt websites in the server
Here, renewing the certificate is the solution and our Dedicated Engineers help customers in renewing their website certificates immediately.
Recently, one of our customers approached us with a similar request. He said he got an e-mail regarding the bug from Let’s Encrypt team.
The customer was using certbot as an ACME client. So, we renewed his certificate using the command below.
certbot renew --force-renewal
Where ACME client is a protocol used by Let’s Encrypt to verify that who controls the given domain name.
[Need more assistance with Let’s Encrypt?- We’ll help you.]
In short, we saw details about the Let’s Encrypt CAA bug. Also, we saw how our Support Engineers resolved the problem by renewing the certificate.