Let's Encrypt, a non-commercial, community-controlled CA that provides certificates free of charge to anyone, about the upcoming revocation of many previously issued TLS/SSL certificates. Of the 116 million currently valid Let’s Encrypt certificates, a little more than 3 million (2.6%) will be revoked, of which approximately 1 million are duplicates tied to the same domain (the error mainly affected certificates that are updated very frequently, which is why there are so many duplicates). The recall is scheduled for March 4 (the exact time has not yet been determined, but the recall will not occur until 3 a.m. MSK).
The need for a recall is due to the discovery on February 29 . The problem has been appearing since July 25, 2019 and affects the system for checking CAA records in DNS. CAA Record (,Certificate Authority Authorization) allows the domain owner to explicitly define a certification authority through which certificates can be generated for a specified domain. If a CA is not listed in the CAA records, it must block the issuance of certificates for a given domain and inform the domain owner about attempts to compromise. In most cases, the certificate is requested immediately after passing the CAA check, but the result of the check is considered valid for another 30 days. The rules also require re-verification to be performed no later than 8 hours before the issuance of a new certificate (i.e., if 8 hours have passed since the last inspection when requesting a new certificate, a re-verification is required).
The error occurs if the certificate request covers several domain names at once, each of which requires a CAA record check. The essence of the error is that at the time of re-checking, instead of validating all domains, only one domain from the list was re-checked (if the request had N domains, instead of N different checks, one domain was checked N times). For the remaining domains, a second check was not performed and the data from the first check was used when making a decision (i.e., data that was up to 30 days old was used). As a result, within 30 days after the first verification, Let’s Encrypt could issue a certificate, even if the value of the CAA record was changed and Let’s Encrypt was removed from the list of acceptable certification authorities.
Affected users are notified by email if contact information was filled in when receiving the certificate. You can check your certificates by downloading serial numbers of revoked certificates or using (located on the IP address, in the Russian Federation by Roskomnadzor). You can find out the serial number of the certificate for the domain of interest using the command:
openssl s_client -connect example.com:443 -showcerts /dev/null \
| openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
Source: opennet.ru