Closed Bug 1446080 Opened 2 years ago Closed 2 years ago

Let's Encrypt: Improper encoding of wildcard certificates


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: wayne, Assigned: jaas, NeedInfo)


(Whiteboard: [ca-compliance])

Josh Aas posted the following incident report to

During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root:

These certificates contain a subject common name that includes a  “*.” label encoded as an ASN.1 PrintableString, which does not allow the asterisk character, violating RFC 5280.

We became aware of the problem on 2018-03-13 at 00:43 UTC via the linter flagging in [1]. All six certificates have been revoked.

The root cause of the problem is a Go language bug [2] which has been resolved in Go v1.10 [3], which we were already planning to deploy soon. We will resolve the issue by upgrading to Go v1.10 before proceeding with our wildcard certificate launch plans.

We employ a robust testing infrastructure but there is always room for improvement and sometimes bugs slip through our pre-production tests. We’re fortunate that the PKI community has produced some great testing tools that sometimes catch things we don’t. In response to this incident we are planning to integrate additional tools into our testing infrastructure and improve our test coverage of multiple Go versions.



The discussion thread for this issue is!topic/

Jacob described the following action item: integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline

Please provide a date for completing this action, and update this bug when the action has been completed.
Assignee: wthayer → jaas
Flags: needinfo?(mozilla.20.jsha)
Whiteboard: [ca-compliance]
The work to integrate certlint was completed and merged into our testing on March 15:
It appears that all actions have been completed, so I am marking this resolved.
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.