Lets’s Encrypt Revoking 3 Million Security Certificates

Let’s Encrypt has announced a bug affecting more than 3 million websites using their Security Certificate Let’s Encrypt. Let’s Encrypt, on March 4, 2020, revokes more than 3 million certificates affected.

Sites with revoked certificates may start showing insecure browser icons which may result in fewer traffic and fewer sales. Affected website publishers will be needed to reapply for a new certificate to regain secure status.

Let's Encrypt Bug Announcement

Let’s Encrypt warned customers that the security certificates will be revoked on 4 March 2020:

“Due to the 2020.02.29 CAA Rechecking Bug 5.6k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates.”

Certificates begin to be revoked at 3 PM EST.

Who's affected by the SSL Certificate Bug?

This bug affects 2.6% of publishers who rely on Let’s Encrypt for their certificate of security. That is in excess of three million websites.

Emails were sent to publishers affected by this.

If you haven’t received an email, you may still be affected because for all the usual reasons the notice may not have been delivered (check your spam folder).

There is a way of checking. The following web page has a diagnostic tool to assess if yours is one of the sites affected:


Alternatively a list of all affected URLs can be downloaded here.

This is the warning the tool will send you if your site is affected:

This is the warning message you’ll receive if your Let’s Encrypt security certificate is affected and needs renewing.


The Let’s Encrypt Announcement says:

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.

What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.”

More Stories
Mueller says Google estimates the signals for the ranking of new sites

stay informed!

Subscribe to receive exclusive content and notifications


This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.