Let’s Encrypt to Revoke 3 Million SSL Certificates

Let’s Encrypt – the world-leading Free SSL Certificate authority (CA), has announced that it will revoke more than 3 million SSL/TLS Certificate by 4th March 2020. The cause of the revocation is a bug which was discovered by Let’s Encrypt.

Lets Encrypt confirmed that a bug in Boulder ignored CAA Checks in a forum post on 29th February 2020. However, this news barely gave time to their user to react to it.

Also Read: The Risk of Free SSL Certificate

Let’s Encrypt is going for a short revocation timeline in order to meet the stipulation by the CA/B Forum’s baseline requirement. That means many people who are using let’s encrypt certificates aren’t aware and can be affected by this.

So, why is Let’s Encrypt revoking these certificates and what does the website owner have to do with an affected certificate from Let’s Encrypt.

Why Let’s Encrypt certificate been revoked?

Let’s Encrypt announced there was a bug in their code which allowed the issuance of SSL Certificate without going through proper domain record checks. This resulted, let’s Encrypt to revoke more than 3 million valid SSL certificates out of their total 116 million certificates. To be more specific, the bug affected Boulder – the server software that Let’s Encrypt uses to verify the users and their domains before issuing an SSL certificate.

The lead developer from the Let’s Encrypt Jacob Hoffman-Andrews, post a statement on the Mozilla’s Bugzilla Web Forum:

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §, so any domain name that was validated more than 8 hours ago requires rechecking.

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit /issuance by Let’s Encrypt.

They discovered the bug at 03:08 UTC on 29 Feb and halted issuance at 03:10. Further, they deployed a fix at 05:22 UTC and then re-enabled issuance. On the preliminary investigation, it was found that the bug was introduced on 25th July 2019.

In simple words: Lets Encrypt must revoke the SSL Certificate because it didn’t check the CAA records within 8 hours prior to the certificate being issued due to the bug in its software.

What options do the users of Let’s Encrypt certificate have?

Step 1: Check the Certificate

The website owner or webmasters or system administrators having Lets Encrypt SSL Certificate can use the tool to verify if their certificate is been impacted or not by simply entering the domain name. They can also visit this page which hosts the list of affected serial numbers.

Step 2: Renew the Certificate

Once you have determined that you are using the impacted Let’s Encrypt certificate, the next step for you is to renew the certificate. Users can renew the certificate either from a Trusted Certificate Authority or go for a Free untrusted SSL Certificate Authority.

It’s always wise to have a trusted Certificate on your network or server. Also, all reputed companies use a trusted SSL Certificate for their security. Renew SSL Certificate at affordable cost and secure your website without any worries.

Sometimes it feels a burden to renew the certificate and install it again. Well, you can make your life easy, by simply visiting the best SSL Installation Service Provider named as SSL.Support. They install your certificate on any type of server with ease. So now relax and let SSL.Support install your certificate.