TrustAsia has revoked 143 SSL/TLS certificates following the discovery of a vulnerability in its LiteSSL ACME service. The flaw allowed for the improper reuse of domain validation data across different ACME accounts, prompting an immediate suspension of issuance services and a subsequent mass revocation of affected certificates.
The incident, tracked under Mozilla Bugzilla ticket #2011713, was triggered by a community report received on January 21, 2026. The vulnerability specifically impacted certificates issued via the ACME protocol after December 29, 2025.
Technical Root Cause and Impact
The core issue stemmed from a logic error in the LiteSSL ACME service handling of Authorization objects. Investigations revealed that “Authorization data was reused across different ACME accounts,” effectively bypassing the requirement for unique validation per account context.
While community speculation initially suggested the issue might be related to External Account Binding (EAB) assignments in the database, TrustAsia clarified that their architecture maintains a strict one-to-one mapping between ACME Accounts and EABs.
Incident Scope:
- Total Certificates Impacted: 143
- Affected Protocol: ACME (Automated Certificate Management Environment)
- Vulnerable Period: Issuance dates post-2025-12-29
- Status: All affected certificates have been revoked; the service is patched and online.
The following timeline outlines the response actions taken by TrustAsia on January 21, 2026 (Times in UTC+8).
| Time | Event Description |
|---|---|
| 14:55 | Compliance team received a report (via V2EX) regarding domain validation reuse. |
| 15:10 | Preliminary confirmation of the issue; ACME issuance service suspended. |
| 15:30 | Impact scope confirmed; investigation into specific certificates began. |
| 15:33 | Revocation initiated for the two specific certificates mentioned in the initial report. |
| 21:00 | Code fix completed and validated in the test environment. |
| 21:21 | Identification of all 143 affected certificates completed; batch revocation initiated. |
| 21:30 | Revocation completed for the 140 remaining valid certificates (3 were previously revoked). |
| 21:41 | Patched code deployed to the production environment. |
| 22:35 | Reset of all ACME Authorizations from VALID to REVOKED, forcing client re-validation. |
| 23:00 | External ACME issuance service fully restored. |
This incident violates the CA/Browser Forum Baseline Requirements (TLS BR Version 2.2.2), specifically Section 3.2.2.4, which mandates that the Certificate Authority must validate each Fully-Qualified Domain Name (FQDN) prior to issuance.
TrustAsia has stated that a Full Incident Report will be released to the Mozilla Bugzilla thread, which will include a more detailed root cause analysis and the definitive start date of the non-compliance.
All ACME Authorizations in the production environment were reset to REVOKED status to prevent any lingering invalid authorizations from being used for new issuance.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
