Peter Bowen recently created a certlint tool [1] to check certificates for 
CA/Browser Forum Baseline Requirements compliance. Thanks Peter!

Using this tool we uncovered a number of Let's Encrypt certificates that are 
not compliant with RFC 5280. There were two issues:

1) Let's Encrypt was not properly disallowing the "-" character at the ends of 
DNS labels (RFC 1035, page 8 [2], as required by RFC 5280, page 36 [3]).

2) Let's Encrypt was allowing CN (Common Name) fields to contain domain names 
longer than 64 characters (RFC 5280, page 124 [4]).

Both of these issues [5][6] have been fixed in production.

The following certificates were revoked today, February 29, 2016:

dev-security-policy mailing list

Reply via email to