SSL Let’s Encrypt Revokes 3 Million Certificates Due to CAA Bug

  • Thread starter
  • Admin
  • #1

Joeychgo

TAZ Administrator
Joined
Feb 28, 2004
Messages
6,912


Imagine receiving a TLS warning on your browser every time you visit your website for 60 days straight. Definitely not an ideal situation and you would certainly want to avoid it at all costs, correct?

Let’s Encrypt SSL, a certificate authority run by the Internet Security Research Group (ISRG) and responsible for around 116 millions active SSL certificates, reported this weekend that they found a bug on their domain control validation process. As a result, they revoked around 3 million SSL certificates today.

To be precise, 2.6% of all active Let’s Encrypt SSL were revoked at 0:00 UTC, even if they were not expected to expire soon. Usually SSL certificates are valid for a year, but Let’s Encrypt SSL are only valid for 90 days. This helps decrease the amount of certificates that need to be revoked as they are more frequently renewed.

What is the impact of the Let’s Encrypt SSL bug?
To get an idea of the impact, Certbot, the most popular software used to issue Let’s Encrypt SSL certificates, only renews SSL certificates 30 days before the due date. That means if manual forced renew isn’t performed by an admin, the website could end up with a revoked SSL certificate for 60 days.

You may be asking yourself: who was affected? Will my website suffer with this issue? How do I proceed? We will get into that now.

What are the consequences of the Let’s Encrypt SSL bug?
To better understand the issue, you need to know about CAA records. A CAA record is a type of DNS record that is not as famous as A or CNAME records, but are vital for the SSL industry. That DNS record tells the certificate authority companies if they are allowed to issue a SSL certificate for a specific domain.

When you have to issue a SSL certificate, first the certificate authority will check the CAA records; then you are asked to prove that you own the domain. Most Let’s Encrypt users issue a SSL right after validating the domain control. However, Let’s Encrypt, as explained here, consider the domain validation good for 30 days and CAA records for 8 hours.

Say you want to issue a SSL for a domain 9 hours after the domain validation happened. You wouldn’t need to validate the domain again, but the CAA records would be queried to make sure that domain is allowed to have an SSL certificate issued by the certificate authority. Here comes the tricky part.

Mistaken SSL certificates for multiple domains?
Some SSL certificates can cover multiple domain names. The bug happens in this part. Instead of checking each domain name’s CAA records to verify which ones the SSL certificate covers, Let’s Encrypt SSL would check just one of the domain names, not all.

Once you passed the domain control validation, you would have a 30-days window to issue certificates without the CAA record being queried properly for all domain names before issuing the SSL certificate.
Since there is a possibility that Let’s Encrypt did issue SSL certificates they were not supposed to, they revoked all certificates that did not have a proper CAA re-checking, more specifically, 3.048.289 certificates.

If you want to make sure your domain is not affected, you can use the following website: https://checkhost.unboundtest.com

My SSL certificate was revoked, what do I do?
In this case you need to force the renewal process. It depends largely on the software you use to issue the SSL certificate. For Certbot users, running certbot renew –force-renewal on the command line is all you need to do. For cPanel users using AutoSSL, you need to delete the certificate from your cPanel account and then run AutoSSL so it triggers a new issue process.

Our general recommendation would be to contact your sysadmin or hosting provider so they can take care of this issue for you.

Are Sucuri customers affected?
Sucuri customers that rely on the SSL certificates issued by the WAF were not affected as we do not issue multi-domain SSL certificates and thus the CAA validation bug did not impact our SSL certificates.

However, if you manually uploaded a custom Let’s Encrypt multi-domain SSL into the Sucuri WAF, please check if your domain is not using a revoked SSL certificate. If you need any assistance, please submit a support ticket to our firewall team.
 

eva2000

Habitué
Joined
Jan 11, 2004
Messages
1,770
Interesting and tricky bug indeed. Scott Helme has article at https://scotthelme.co.uk/lets-encrypt-to-revoke/ as well

downloading Scott's crawled domains affected by CAA bug
Code:
wget -4 https://raw.githubusercontent.com/ScottHelme/le-scan/master/need-renewing.txt
example of cpanel filtered domains and the ssl cert serial number in hex format
Code:
grep cpanel need-renewing.txt | tail -10
cpanel.fullfullform.com,0340bf17bc6bf791cff9704d0b48f4f0b96e
cpanel.geronlove.fi,04d2d3854d346a1a6c6f43a4e14ac91c9c02
cpanel.mcfink.com,036ab4fc5f6e8434c7cd84a89a3137c0bc33
cpanel.member.ryrawebhost.com,031bb0355dfb09a1b589d4abd6180c710c2d
cpanel.cercipenela.org.pt,036d892579637b0198acb5d51b293396e8bc
cpanel.c-psych.co.za,0369dc7fa17cd9a739efc67435fe58beb9c4
cpanel.web-previewer.co.uk,032af9d52c506ef9111305852ec7665184ba
cpanel.kreativeideas.fr,03386fa00b212134dbafc9793ac054dace79
cpanel.denizign.nl,03084954acaee675a15dd0b304f15810c4d0
cpanel.oenologycentre.com,0429b1be388ed7903ca6c36e8d599293023f
checking last domain on that filtered list
Code:
 curl -XPOST -d 'fqdn=cpanel.oenologycentre.com' https://checkhost.unboundtest.com/checkhost
The certificate currently available on cpanel.oenologycentre.com needs renewal because it is affected by the Let's Encrypt CAA rechecking problem. Its serial number is 0429b1be388ed7903ca6c36e8d599293023f. See your ACME client documentation for instructions on how to renew a certificate.
my custom cert-check query for that domain which shows both ssl cert serial in decimal and hex formats
Code:
cert-check check cpanel.oenologycentre.com
oenologycentre.com|362636981809588565845614275771426799813183|Let's Encrypt|2020-05-20T19:41:17Z|["cpanel.oenologycentre.com","cpcalendars.oenologycentre.com","cpcontacts.oenologycentre.com","mail.oenologycentre.com","oenologycentre.com","webdisk.oenologycentre.com","webmail.oenologycentre.com","www.oenologycentre.com"]|NA|HTTP/2|HTTP/1.1|429B1BE388ED7903CA6C36E8D599293023F
Code:
cert-check check cpanel.oenologycentre.com | sed -e "s/|/\n/g"   
oenologycentre.com
362636981809588565845614275771426799813183
Let's Encrypt
2020-05-20T19:41:17Z
["cpanel.oenologycentre.com","cpcalendars.oenologycentre.com","cpcontacts.oenologycentre.com","mail.oenologycentre.com","oenologycentre.com","webdisk.oenologycentre.com","webmail.oenologycentre.com","www.oenologycentre.com"]
NA
HTTP/2
HTTP/1.1
429B1BE388ED7903CA6C36E8D599293023F
so that domain's SSL cert still hasn't been renewed as the hex format serial number is still the same and expiry date of ssl cert is older
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,905
I have nine domains on my certificate so I ran them through the checker and all came back OK. :)
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,028
I wonder if the hosts are doing this automatic on their end?
Generally, I would say no. Hosting packages tend to have a separate cert for each domain, so they aren't affected. Same with most other installs.
 
Top