Lets’s Encrypt Revoking 3 Million Security Certificates
Let’s Encrypt has announced a bug affecting more than 3 million websites using their Security Certificate Let’s Encrypt. Let’s Encrypt, on March 4, 2020, revokes more than 3 million certificates affected.
Sites with revoked certificates may start showing insecure browser icons which may result in fewer traffic and fewer sales. Affected website publishers will be needed to reapply for a new certificate to regain secure status.
Let's Encrypt Bug Announcement
Let’s Encrypt warned customers that the security certificates will be revoked on 4 March 2020:
“Due to the 2020.02.29 CAA Rechecking Bug 5.6k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates.”
Certificates begin to be revoked at 3 PM EST.
Who's affected by the SSL Certificate Bug?
This bug affects 2.6% of publishers who rely on Let’s Encrypt for their certificate of security. That is in excess of three million websites.
Emails were sent to publishers affected by this.
If you haven’t received an email, you may still be affected because for all the usual reasons the notice may not have been delivered (check your spam folder).
There is a way of checking. The following web page has a diagnostic tool to assess if yours is one of the sites affected:
This is the warning the tool will send you if your site is affected:
The Let’s Encrypt Announcement says:
“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.
What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.”