Wildcard Hijack: TrustAsia Revokes 143 Certificates After LiteSSL Vulnerability

LiteSSL, a complimentary wildcard certificate authority under the aegis of TrustAsia, was recently found to harbor a critical security vulnerability. Although the flaw has been remediated at the time of this publication, 143 anomalous digital certificates impacted by the oversight have been summarily revoked by the parent organization.

The service, which utilizes the ACME protocol for certificate issuance, was scrutinized by a researcher known as 00oo00, who observed that the authority frequently yielded errors citing excessive requests from the IP address 10.254.14.70. This surfaced a significant misconfiguration within the backend infrastructure: the IP in question was an internal server address. LiteSSL had failed to correctly identify the authentic client IP, instead attributing all requests to its internal reverse proxy. This conflation triggered rate-limiting thresholds and suggested a fundamental flaw in the handling of client telemetry.

Furthermore, the authority employs the DNS-01 challenge for domain validation, yet it appeared to maintain an excessively protracted cache for these challenges. Crucially, the system failed to verify whether a certificate signing request (CSR) originated from the same ACME account that performed the initial validation. This lapse permitted unauthorized parties to “hijack” the issuance process, obtaining certificates for domains validated by others. During testing, researchers demonstrated the ability to re-issue wildcard certificates for arbitrary domains without re-triggering validation—a technique that could facilitate devastating Man-in-the-Middle (MiTM) incursions.

Upon discovery, TrustAsia exhibited commendable accountability by disclosing the incident on Bugzilla. Their investigation confirmed that 143 certificates were compromised and subsequently invalidated. The internal systemic errors have since been rectified, and LiteSSL has resumed its wildcard issuance services, now fortified against such exploits.

The following timeline delineates TrustAsia’s responsive measures:

• 2026-01-21
  • 14:55 – Internal compliance team received a community report
    (https://v2ex.com/t/1187331) indicating a domain validation data reuse issue in TrustAsia’s LiteSSL ACME service.
  • 15:10 – Preliminarily confirmed the issue and suspended the ACME issuance service.
  • 15:30 – Confirmed the issue and the impact scope involving the certificates issued using ACME protocol; investigation of affected certificates and system remediation began.
  • 15:33 – Initiated revocation of the two certificates referenced in the community report.
  • 21:00 – Fix completed and successfully validated in the test environment.
  • 21:21 – Identified all the affected certificates and initiated batch revocation.
  • 21:30 – Completed revocation of the 140 affected and still-valid certificates (the remaining 3 affected certificates had already been previously revoked).
  • 21:41 – Deployed the fixed code to the production environment.
  • 22:35 – Reset all ACME Authorizations in the production environment with status VALID to REVOKED and requested the clients to perform re-validation
  • 22:50 – Successfully completed the internal validation of the production environment.
  • 23:00 – External ACME issuance service restored.

TrustAsia intends to release a definitive post-mortem report detailing the root causes of the configuration lapse. While such vulnerabilities can be fatal to the reputation of a Certificate Authority, swift action mitigated broader catastrophe. Users who secured certificates via LiteSSL after December 29, 2025, are urged to inspect their certificate status immediately to forestall service disruptions resulting from the recent revocations.

Related Posts:

• Researchers Exploit Vulnerability to Obtain TLS Certificates for Any .MOBI Domain
• Let’s Encrypt introduced ACME v2 protocol and wildcard support for testing
• ACME v2 was released Let’s Encrypt, officially supports wildcard certificates
• The AI Cold War: Anthropic Revokes OpenAI’s Claude API Access Over Terms of Service Dispute