Let’s Encrypt‘s CAA (Certification Authority Authorization) rechecking bug happens during the company’s CA (certificate authorities) software checks for CAA records at the same time it validates a subscriber’s control of a domain name. Let’s Encrypt officially confirmed in a blog post published on February 29th.
Notification emails were sent to affected subscribers
The company stated that in some cases they need to check CAA records a second time, just before issuance, specifically CAA needs to be checked within 8 hours prior to issuance, so any domain name that was validated more than 8 hours ago requires rechecking. The company also claimed that they halted issuance 2 minutes after the confirmation of the bug and deployed a fix and re-enabled issuance approximately two hours later.
Let’s Encrypt also announced that they have sent a notification email to affected subscribers, published a guide about the incident, and share the file that contains a list of all affected certs, sorted by account ID. Users can download this file and look up their account id to see if they are affected or not. Users will need to renew and replace it unless they have renewed it more recently than the date listed.