This all happened less than 2 hours ago, but a quick summary is that my Certificate Transparency monitor, Cert Spotter (https://sslmate.com/certspotter) performs various sanity checks on every certificate that it observes. At 15:41 UTC today, I started getting alerts that certificates from Let's Encrypt were failing one particular check. I quickly emailed Let's Encrypt's problem reporting address, and Let's Encrypt promptly suspended issuance so they could investigate. I've lost count of how many CAs I've detected having this particular problem, so perhaps it is time to blog about it (https://www.agwa.name/blog if you're interested).

That's awesome!! I wonder if let's encrypt runs sanity checks before/after issuing certs too?

They "lint" certificates before issuance, as do most CAs. However, I don't think any linters check for this problem, as it requires access to more than just the certificate (the linter would need access to either the precertificate or a database of Certificate Transparency log keys).

We will add a lint to Boulder for precertificate and certificate correspondence to ensure this class of problem never happens again.

It would be nice to add this to Zlint, but we'd need a new interface that could be given both a precertificate and certificate to co-lint. Other than this one correspondence check, I'm not sure if there's any other lints that would fit that pattern.

Are these linters open source?

Yup, the two most popular are:

https://github.com/zmap/zlint

https://github.com/certlint/certlint

They each have their strengths and weaknesses, so CAs are advised to use both.

this is why i will always love hacker news. thank you

Curious people contributing to the ongoing functioning of critical systems at scale. Thank you for your effort!

https://xkcd.com/2347/

I would love to read a blog of yours with more information.

This iso so awesome. Thank you for sharing. I hope you do write about that problem. I'd love to learn something new.