TrustAsia has revoked 143 SSL/TLS certificates following the discovery of a critical vulnerability in its LiteSSL ACME service.
The flaw, disclosed on January 21, 2026, permitted the reuse of domain validation data across different ACME accounts, allowing unauthorized certificate issuance for domains that were validated by other users.
The vulnerability violated the CA/Browser Forum Baseline Requirements (TLS BR Version 2.2.2, Section 3.2.2.4), which mandates unique domain validation for each certificate issuance.
The core issue stemmed from a logic error in LiteSSL’s ACME service handling of Authorization objects.
The service failed to verify whether a Certificate Signing Request (CSR) originated from the same ACME account that performed the initial validation, as reported by Mozilla.
This lapse allowed attackers to hijack the issuance process and obtain wildcard certificates for arbitrary domains without re-triggering DNS-01 challenges.
Additionally, researchers discovered that LiteSSL maintained an excessively prolonged cache for DNS-01 validation challenges, extending the exploitation window significantly.
| Field | Value |
|---|---|
| Certificate Authority | TrustAsia |
| Affected Service | LiteSSL ACME |
| Vulnerability Type | Domain Validation Reuse / Authorization Bypass |
| Certificates Impacted | 143 total (140 revoked, 3 previously revoked) |
| Issuance Period | After December 29, 2025 |
| Protocol | ACME (DNS-01 challenge) |
All 143 affected certificates were issued via the ACME protocol after December 29, 2025. Upon confirming the vulnerability, TrustAsia immediately suspended ACME issuance services and initiated a comprehensive system remediation.
Within hours, the company completed code fixes, deployed patches to production, and revoked 140 still-valid certificates; three had been previously revoked.
TrustAsia reset all ACME Authorizations in production from VALID to REVOKED status, forcing clients to perform re-validation before resuming certificate issuance.
The incident constitutes non-compliance with CA/Browser Forum requirements. TrustAsia has committed to publishing a comprehensive Full Incident Report detailing root cause analysis and the precise non-compliance start date.
Incident Timeline and Technical Data
| Time (UTC+8) | Event | Details |
|---|---|---|
| 14:55 | Report Received | Community report via V2EX flagged domain validation reuse issue |
| 15:10 | Preliminary Confirmation | Issue confirmed; ACME issuance service suspended immediately |
| 15:30 | Scope Investigation | Impact scope identified; certificate investigation began |
| 15:33 | Initial Revocation | Two certificates from community report revoked |
| 21:00 | Code Fix Completed | Fix validated successfully in test environment |
| 21:21 | Full Scope Identified | All 143 affected certificates identified; batch revocation initiated |
| 21:30 | Revocation Completed | 140 valid certificates revoked (3 previously revoked) |
| 21:41 | Production Deployment | Patched code deployed to production environment |
| 22:35 | Authorization Reset | All ACME Authorizations reset from VALID to REVOKED; re-validation requested |
| 22:50 | Internal Validation | Production environment validation completed successfully |
| 23:00 | Service Restored | External ACME issuance service fully restored |
TrustAsia demonstrated rapid incident response by containing the vulnerability within 8 hours of discovery and fully remediating the service.
Organizations that issued certificates via LiteSSL ACME between December 29, 2025, and January 21, 2026, should verify certificate status and prepare for potential re-issuance requirements.
The incident underscores the critical importance of proper account context validation in ACME implementations and the necessity of strict separation between user domains during certificate validation workflows.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.