← Internet Security Research Group cases
Bugzilla #1619179 Certificate Problem Report

Let's Encrypt: Incomplete revocation for CAA rechecking bug

RESOLVED FIXED Internet Security Research Group
AI Summary

Let's Encrypt encountered a bug related to CAA rechecking that led to incomplete revocation of certificates. After identifying the issue, they quickly deployed a fix and communicated the situation publicly. Although they planned to revoke approximately 3 million certificates, they determined that mass revocation could cause significant disruption. Ultimately, they revoked over 2 million certificates while allowing others to expire naturally, citing the need to minimize impact on users and the web ecosystem.

Model: gpt-4o-mini Generated: 2026-06-13 21:11 UTC Confidence: 0.90
Chronology
  1. Identified bug in CAA checking code.
  2. Revocation deadline; over 2 million certificates revoked.
  3. All affected certificates expired or were revoked.
Participants
Josh Aas W. Thayer M. Nordhoff Ryan Sleevi Jacob Hoffman-Andrews
External References
Original Bugzilla Case bugzilla.mozilla.org wiki.mozilla.org community.letsencrypt.org community.letsencrypt.org
Similar Local Cases
#1577652 RESOLVED Certificate Problem Report Opened 2019-08-29 · Closed 2022-11-14 · 71% similar
Let's Encrypt: OCSP Responder Returned "Unauthorized" for Some Precertificates
AI Summary CA Owner
#1625322 RESOLVED Certificate Problem Report Opened 2020-03-26 · Closed 2023-02-22 · 66% similar
Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours
AI Summary CA Owner
#1715672 RESOLVED Certificate Problem Report Opened 2021-06-10 · Closed 2023-02-22 · 65% similar
Let's Encrypt: Failure to revoke for Certificate Lifetime Incident
AI Summary CA Owner
#1648840 RESOLVED Certificate Problem Report Opened 2020-06-26 · Closed 2023-02-22 · 65% similar
Let's Encrypt: OCSP responses with no revocationReason
AI Summary CA Owner
#1715455 RESOLVED Certificate Problem Report Opened 2021-06-09 · Closed 2024-01-10 · 64% similar
Let's Encrypt: certificate lifetimes 90 days plus one second
AI Summary CA Owner
#1627614 RESOLVED Certificate Problem Report Opened 2020-04-06 · Closed 2023-02-22 · 64% similar
Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours
AI Summary CA Owner
#1576789 RESOLVED Certificate Problem Report Opened 2019-08-27 · Closed 2024-05-09 · 64% similar
Let's Encrypt: 2019.08.20 Incident: Incorrect OCSP responses under certain conditions
AI Summary CA Owner
#1619047 RESOLVED Certificate Problem Report Opened 2020-02-29 · Closed 2023-02-22 · 58% similar
Let's Encrypt: CAA Rechecking bug
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action