An internal bug impacted the Boulder, a server software of Let’s Encrypt used for verifying users and their domains before issuing certificates. More specifically, the bug affected the CAA (Certificate Authority Authorization) standard in Boulder, which ignored these checks before issuing certificates.
Faulty checks
Jacob Hoffman at Bugzilla, who reposted the Let’s Encrypt engineer’s report as, The platform has detected the bug was introduced first on 25th July 2019, and have confirmed on February 2020. They are currently investigating the matter in detail to know more information. The team has worked enough to rectify the mistake immediately. Soon after identifying the bug, they stopped issuing certificates and fixed the bug you resume in just two hours!
Revoking over 3 million certificates
