Bug Letsencrypt CAA By G666h05t & AnonGhost Indonesia



Bug Letsencrypt CAA  By G666h05t & AnonGhost Indonesia


According to Let's Encrypt's announcement, when a certificate request contains N domain names that required a CAA revalidation, Boulder (CA software) would pick one domain name and validate it N times.

In practice, this means that if a subscriber verified a domain name during X, and the CAA records for that domain during X allowed Let's Encrypt to be issued, that subscriber could issue a certificate containing that domain name up to X + 30 days, even if anyone I later set up CAA records for this domain name that prohibit issuing Let's Encrypt.

This bug was confirmed by the Let Encrypt team on February 29, 2020.

1) Let's take a look at how to check if a website domain is affected by the Letsencrypt CAA Rechecking vulnerability.


How to check if your domain is not affected by the CAA LetsEncrypt revalidation error
To check if your domain is affected by the CAA revalidation error on any Unix-like systems, run:

$ curl -XPOST -d 'fqdn = www.example.com' https://unboundtest.com/caaproblem/checkhost

2) Replace www.example.com with your domain name.

If you see output as shown below, it means your domain is not affected!

3) The certificate currently available on www.example.com is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is 0fd078dd48f1a2bd4d0f2ba96b6038fe0000
If your domain is affected, the message will look like this:
The certificate currently available on www.example.com needs renewal because it is affected by the Let's Encrypt CAA rechecking problem. Its serial number is 0fd078dd48f1a2bd4d0f2ba96b6038fe0000. See your ACME client documentation for instructions on how to renew a certificate.
Alternatively, you can use the following online tool to check if your domain is affected


Find US on telegram : t.me/AnonGhostid