Let’s Encrypt CAA bug (will revoke more than 3 million certificates on TODAY)

In a forum post (community.letsencrypt.org) (Link) Let’s Encrypt disclosed that a bug in Boulder ignored CAA checks:

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.

The bug is the following:

when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

What to do to solve the issue on TODAY?

The easiest way is to visit the https://checkhost.unboundtest.com and simply type your hostname:

Click the query button and you have to receive the answer

In my case, the certificates have been already renewed, hence the good response.

If you are affected then:

In case of Nginx reverse proxy, you have to ssh to your server and check the issued certificates with the following cmd:

certbot certificates

Note the number of certificates and type the following command:

certbot renew --force-renewal

The result should be following:

root@plex:/home/tschaba01# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/XXX.szeles.me.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXX.szeles.me
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/XXX.szeles.me/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/wherethefuckshouldieatinbudapest.info.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wherethefuckshouldieatinbudapest.info
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/wherethefuckshouldieatinbudapest.info/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/XXX.szeles.me.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXX.szeles.me
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/XXX.szeles.me/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/szeles.me.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for szeles.me
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/szeles.me/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/XXX.szeles.me/fullchain.pem (success)
  /etc/letsencrypt/live/wherethefuckshouldieatinbudapest.info/fullchain.pem (success)
  /etc/letsencrypt/live/XXX.szeles.me/fullchain.pem (success)
  /etc/letsencrypt/live/szeles.me/fullchain.pem (success)
-------------------------------------------------------------------------------
root@plex:/home/tschaba01# 

If you run again the certbot certificates command then you have to get the following result: (note the 89 days)

This is the way of renewing your certificates.

Leave a Reply

Your email address will not be published. Required fields are marked *