Let’s Encrypt, the most popular free certificate signing authority is going to invalidate more than 3 million TLS certificates within the next few hours. The reason why that happens is because they were wrongfully issued due to a Certificate Authority software bug.
The bug was confirmed on February 29 and was fixed two hours after discovery. This changed how the domain name ownership was checked before issuing new TLS certificates.
Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.
It’s worth noting that the certificates issued by Let’s Encrypt are valid for a period of 90 days, and ACME clients such as Certbot are capable of automatically renewing them.
But with Let’s Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.
Check your certificates
We strongly advise you to check if your certificates are not affected by testing your domain here: https://letsencryptchecker.bunnyshell.com
If your certificates are OK you will get this message: “Your Domain Domain Name is not affected”.
Otherwise, your certificate may be affected and you will get this message instead: “Your Domain Domain Name is affected, and following subdomains are also”. In one search you get the complete list of your affected domains and subdomains.
And it doesn’t end here — unfortunately, having a revoked certificate means you can’t receive ANY emails. That practically stops your business right in its tracks. Do yourself a favor, and check how eligible your certificates really are.
The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to pinpoint to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name.
Let’s Encrypt considers domain validation results good only for 30 days from the time of validation. After that, it rechecks the CAA record authorizing that domain before issuing the certificate. The bug is as follows:
“When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.”
In plain English, when Boulder needed to parse, for example, a group of 10 domains names requiring CAA rechecking, it would check one domain name 10 times instead of checking each of the 10 domains once.
According to the company, the bug was introduced as part of an update in July 2019.
Unfortunately, this resulted in Let’s Encrypt issuing certificates that shouldn’t have been issued in the first place. It was just a matter of time before all TLS certificates affected by the bug would be revoked.
The development comes as Let’s Encrypt project announced last week that it had issued its one-billionth free TLS certificate since its launch in 2015.
Let’s Encrypt said 2.6 percent of approximately 116 million active certificates are affected — about 3,048,289 — out of which about one million are duplicates of other affected certificates.