On 2024-09-27 at 19:30 UTC, Let’s Encrypt Policy Management Authority (PMA) discovered a conflict between two sections of v5.3 of our combined CP/CPS.
Section 3.1.2 states:
ISRG certificates include a "Subject" field which identifies the subject entity (i.e. organization or FQDN). The subject entity is identified using a distinguished name.
Section 7.1 states that our Subscriber Certificates' Subject Distinguished Name is of the form:
CN=none, or one of the values from the Subject Alternative Name extension
In 2023, Let’s Encrypt changed both our code (Boulder) and our policy (the Section 7.1 quoted above) to allow issuing certificates with no Common Name, as recommended by Section 7.1.2.7.2 of the Baseline Requirements. At that time, we missed Section 3.1.2's conflicting statements about the Subject field.
Upon confirming this conflict, we disabled certificate issuance at 20:19 UTC, published an updated CP/CPS at 20:32 UTC, and re-enabled certificate issuance at 20:38 UTC. We are currently gathering data for affected serials and will revoke all unexpired affected certificates within 5 days. We will provide a full incident report on or before Friday, 2024-10-04.
The Bugzilla report is located at 1921573 - Let's Encrypt: No Meaningful Subject Distinguished Name