← Internet Security Research Group cases
Bugzilla #1752670 Certificate Misissuance

Let's Encrypt: TLS Using ALPN Allows Additional Identifiers in Challenge Certificate

RESOLVED FIXED Internet Security Research Group
AI Summary

Let's Encrypt encountered a compliance issue with the TLS-ALPN-01 challenge method, leading to the issuance of a certificate that included non-compliant Subject Alternative Names (SAN). Specifically, the SAN contained an IP address alongside the required dNSName, violating RFC 8737. Upon discovery, the certificate was revoked, and a fix was implemented to prevent future occurrences. All affected certificates were identified and revoked within five days of the incident.

Model: gpt-4o-mini Generated: 2026-06-13 21:16 UTC Confidence: 1.00
Chronology
  1. Bug report received; initial response and investigation began.
  2. Fix deployed to production environment.
  3. All affected certificates revoked.
Participants
Jillian Karner Aaron Wilson
External References
Original Bugzilla Case github.com bugzilla.mozilla.org
Similar Local Cases
#1735247 RESOLVED Certificate Misissuance Opened 2021-10-11 · Closed 2023-02-22 · 60% similar
Let's Encrypt: Mis-issued certificates related to SC48v2
AI Summary CA Owner
#2038351 ASSIGNED Certificate Misissuance Opened 2026-05-08 Still Open · 54% similar
Let's Encrypt: Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU
AI Summary CA Owner
#1319609 RESOLVED Certificate Misissuance Opened 2016-11-23 · Closed 2023-02-22 · 50% similar
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
AI Summary CA Owner
#1398427 RESOLVED Certificate Misissuance Opened 2017-09-09 · Closed 2023-02-22 · 48% similar
Let's Encrypt: CAA Misissuances
AI Summary CA Owner
#1414039 RESOLVED Certificate Misissuance Opened 2017-11-02 · Closed 2024-05-09 · 48% similar
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
AI Summary CA Owner
#1914020 RESOLVED Certificate Misissuance Opened 2024-08-20 · Closed 2024-09-13 · 45% similar
SwissSign: S/MIME NCP non ASCII symbols in email and SAN field wrong coding
AI Summary CA Owner
#1462423 RESOLVED Certificate Misissuance Opened 2018-05-17 · Closed 2023-02-22 · 45% similar
NetLock: CN not in SAN
AI Summary CA Owner
#1706860 RESOLVED Certificate Misissuance Opened 2021-04-22 · Closed 2023-02-22 · 45% similar
Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action