Blocklist Incident, November 21 2016

Between 11:30am and 4pm Pacific on November 21, 2016, a problem with the Let’s Encrypt issuance blocklist was identified, confirmed, and fixed.

The issue was initially identified by a Let’s Encrypt operations engineer during routine maintenance. A script is used to assemble a final blocklist configuration from a set of input files. The engineer was adding a suffix to the blocklist and noticed that it wasn’t being propagated to the final blocklist configuration. Further investigation confirmed a bug in the script - it incorrectly and silently failed to process a small number of blocklist entries based on a formatting characteristic. The bug has been fixed and we are reviewing policy around the code in question. Testing for the code will be improved.

While a fix was being developed, Let’s Encrypt staff worked to identify all blocks that had failed to propagate as well as any certificates that were issued for those domains. The following certificates were found to have been mis-issued by policy, though there is no sign that they were used maliciously and domain control was properly demonstrated via DV validation.

gov.ir
https://crt.sh/?id=49145557 (Revoked)
https://crt.sh/?id=17321835 (Expired)
https://crt.sh/?id=17320010 (Expired)

gov.sy
https://crt.sh/?id=24753847 (Expired)

mil
https://crt.sh/?id=31920262 (Revoked)
https://crt.sh/?id=29886368 (Revoked)
https://crt.sh/?id=52210328 (Revoked)
https://crt.sh/?id=51226007 (Revoked)
https://crt.sh/?id=48632604 (Revoked)
https://crt.sh/?id=47382849 (Revoked)
https://crt.sh/?id=47464047 (Revoked)
https://crt.sh/?id=43269410 (Revoked)
https://crt.sh/?id=43268871 (Revoked)
https://crt.sh/?id=40478677 (Revoked)
https://crt.sh/?id=36321880 (Revoked)
https://crt.sh/?id=30291839 (Revoked)
https://crt.sh/?id=25207594 (Expired)

Issuance to gov.ir and gov.sy is not allowed as these entities are sanctioned by the U.S. government and we are a U.S.-based organization. Issuance to .mil is not allowed due to contractual obligations that are reflected in our Certification Practice Statement.

All unexpired certificates have been revoked. Account contacts were notified.