← Internet Security Research Group cases
Bugzilla #1954861 Certificate Problem Report

Let's Encrypt: Early CRL Removal Incident

RESOLVED FIXED Internet Security Research Group
AI Summary

The incident involved the early removal of two revoked certificates from Let's Encrypt's Certificate Revocation Lists (CRLs) before their expiration, violating RFC 5280, Section 3.3. This issue was identified through an internal alert and was resolved by restoring the missing entries. The root cause was a bug in the CRL partitioning logic, compounded by insufficient testing and misconfigured alerting. Let's Encrypt has since implemented corrective measures, including improved testing and monitoring protocols.

Model: gpt-4o-mini Generated: 2026-06-13 21:19 UTC Confidence: 0.95
Chronology
  1. Incident begins with detection of missing CRL entries.
  2. Fix developed and deployed.
  3. All action items completed and incident report closure requested.
Participants
Ameer Ghani chrome-root-program@google.com bwilson@mozilla.com
External References
Original Bugzilla Case www.ccadb.org crt.sh crt.sh e6.c.lencr.org e6.c.lencr.org
Similar Local Cases
#1639794 RESOLVED Certificate Problem Report Opened 2020-05-21 · Closed 2023-02-22 · 57% similar
Let's Encrypt: Failure to revoke key-compromised certificate within 24 hours
AI Summary CA Owner
#1789521 RESOLVED Certificate Problem Report Opened 2022-09-06 · Closed 2024-05-09 · 57% similar
Let's Encrypt: Certificates issued to Elliptic Curve Debian Weak Keys
AI Summary CA Owner
#1645276 RESOLVED Certificate Problem Report Opened 2020-06-12 · Closed 2023-02-22 · 57% similar
Let's Encrypt: Expired ISRG Root OCSP X1 Certificate
AI Summary CA Owner
#1853719 RESOLVED Certificate Problem Report Opened 2023-09-18 · Closed 2023-10-26 · 56% similar
Once Revoked Let's Encrypt Certificate Actively Signing Malware
AI Summary CA Owner
#1955365 RESOLVED Certificate Problem Report Opened 2025-03-20 · Closed 2025-05-19 · 56% similar
Apple: Public Key Reuse
AI Summary CA Owner
#1950574 RESOLVED Certificate Problem Report Opened 2025-02-26 · Closed 2025-09-15 · 55% similar
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ)
AI Summary CA Owner
#1950574 RESOLVED Certificate Problem Report Opened 2025-02-26 · Closed 2025-09-15 · 54% similar
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ)
AI Summary CA Owner
#1965612 RESOLVED Certificate Problem Report Opened 2025-05-10 · Closed 2026-05-04 · 54% similar
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action