Image

Image

[W]hen a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.In a FAQs page published on its website, Let's Encrypt said that it would begin revoking affected certificates at 15:00 EST on March 4, 2020. That gives users some time to figure out whether they need to actually renew their certificates or whether an unaffected version of their certificates automatically replaced their affected certificates. They can use this tool to evaluate their certificates for expiration. News of this bug comes less than a week after Let's Encrypt announced that it had issued its billionth digital certificate.