During final tests for the general availability of wildcard certificate support, the Let’s Encrypt operations team issued six test wildcard certificates under our publicly trusted root:
https://crt.sh/?id=353759994
https://crt.sh/?id=353758875
https://crt.sh/?id=353757861
https://crt.sh/?id=353756805
https://crt.sh/?id=353755984
https://crt.sh/?id=353754255
These certificates contain a subject common name that includes a “*.” label encoded as an ASN.1 PrintableString, which does not allow the asterisk character, violating RFC 5280.
We became aware of the problem on 2018-03-13 at 00:43 UTC via the linter flagging in crt.sh. All six certificates have been revoked.
The root cause of the problem is a Go language bug which has been resolved in Go v1.10, which we were already planning to deploy soon. We will resolve the issue by upgrading to Go v1.10 before proceeding with our wildcard certificate launch plans.
We employ a robust testing infrastructure but there is always room for improvement and sometimes bugs slip through our pre-production tests. We’re fortunate that the PKI community has produced some great testing tools that sometimes catch things we don’t. In response to this incident we are planning to integrate additional tools into our testing infrastructure and improve our test coverage of multiple Go versions.