Closed Bug 1446080 Opened 2 years ago Closed 2 years ago
Let's Encrypt: Improper encoding of wildcard certificates
Josh Aas posted the following incident report to mozilla.dev.security.policy: During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root: https://crt.sh/?id=353759994 https://crt.sh/?id=353758875 https://crt.sh/?id=353757861 https://crt.sh/?id=353756805 https://crt.sh/?id=353755984 https://crt.sh/?id=353754255 These certificates contain a subject common name that includes a “*.” label encoded as an ASN.1 PrintableString, which does not allow the asterisk character, violating RFC 5280. We became aware of the problem on 2018-03-13 at 00:43 UTC via the linter flagging in crt.sh . All six certificates have been revoked. The root cause of the problem is a Go language bug  which has been resolved in Go v1.10 , which we were already planning to deploy soon. We will resolve the issue by upgrading to Go v1.10 before proceeding with our wildcard certificate launch plans. We employ a robust testing infrastructure but there is always room for improvement and sometimes bugs slip through our pre-production tests. We’re fortunate that the PKI community has produced some great testing tools that sometimes catch things we don’t. In response to this incident we are planning to integrate additional tools into our testing infrastructure and improve our test coverage of multiple Go versions.  https://crt.sh/  https://github.com/golang/go/commit/3b186db7b4a5cc510e71f90682732eba3df72fd3  https://golang.org/doc/go1.10#encoding/asn1
The discussion thread for this issue is https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wqySoetqUFM Jacob described the following action item: integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline Please provide a date for completing this action, and update this bug when the action has been completed.
Assignee: wthayer → jaas
The work to integrate certlint was completed and merged into our testing on March 15: https://github.com/letsencrypt/boulder/pull/3550
It appears that all actions have been completed, so I am marking this resolved.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.