Let’s Encrypt Plans to Revoke 3 Million SSL Certificates

Let’s Encrypt, the world-leading free SSL certificate authority (CA), has announced that it will revoke over 3 million SSL/TLS certificates by March 4, 2020. The revocation is due to a bug discovered by Let’s Encrypt.

The issue identified in Boulder caused CAA checks to be ignored. Let’s Encrypt confirmed the bug in a February 29, 2020 forum post. However, the announcement gave users very little time to react.

Also Read: The Risk of Free SSL Certificates

To meet the CA/B Forum’s baseline requirements, Let’s Encrypt has implemented a short revocation timeline. As a result, many users of Let’s Encrypt certificates may be unaware and could be impacted by this.

So, why is Let’s Encrypt revoking these certificates, and what should website owners do if their certificates are affected?

Why Has Let’s Encrypt Revoked Certificates?

Let’s Encrypt announced that a bug in their code allowed SSL certificates to be issued without proper domain record checks. As a result, Let’s Encrypt had to revoke over 3 million valid SSL certificates out of a total of 116 million. Specifically, the bug affected Boulder, the server software Let’s Encrypt uses to verify users and their domains before issuing SSL certificates.

Jacob Hoffman-Andrews, the lead developer at Let’s Encrypt, posted a statement on Mozilla’s Bugzilla Web Forum:

On February 29, 2020 (UTC), Let’s Encrypt identified a bug in our CAA code. Our CA software, Boulder, checks for CAA records during domain control validation. While most subscribers issue certificates immediately after domain control validation, we consider the validation valid for 30 days. This means that, in some cases, we need to recheck the CAA records just before issuing the certificate. Specifically, we must check the CAA records within 8 hours of issuance (as per BRs §3.2.2.8). As a result, any domain validated more than 8 hours ago requires a recheck.

The bug was as follows: when a certificate request contained N domain names that required CAA rechecking, Boulder would pick one domain name and check it N times. In practice, this meant that if a subscriber validated a domain name at time X, and the CAA records allowed Let’s Encrypt to issue a certificate, the subscriber could issue a certificate containing that domain name until X+30 days. This would occur even if, after validation, someone added CAA records to that domain name that prohibited issuance by Let’s Encrypt.

The bug was discovered at 03:08 UTC on February 29, and issuance was halted at 03:10. A fix was deployed at 05:22 UTC, after which issuance was re-enabled. Preliminary investigations revealed that the bug had been introduced on July 25, 2019.

In simple terms, Let’s Encrypt had to revoke the SSL certificates because, due to a bug in its software, it did not check the CAA records within 8 hours before certificate issuance.

What Options Do Let's Encrypt Certificate Users Have?

Step 1: Verify the Certificate

Website owners, web admins, or system administrators with a Let’s Encrypt SSL certificate can use the tool to verify if their certificate has been impacted by simply entering the domain name. They can also visit the page hosting the list of affected serial numbers.

Step 2: Renew Your Certificate

Once you have confirmed that your Let’s Encrypt certificate is impacted, the next step is to renew it. Users can renew the certificate through a trusted Certificate Authority (CA) or a free, untrusted SSL certificate authority.

Using a trusted certificate for your network or server is always best. Reputable companies rely on trusted SSL certificates to ensure security. Renewing your SSL certificate at an affordable cost will help secure your website with peace of mind.
Renewing and reinstalling the certificate can feel like a burden, but you can simplify the process by visiting SSL. Support, a top SSL installation service provider. They will install your certificate on any server with ease. Sit back and relax while SSL. Support takes care of the installation for you.

Facebook
Twitter
Pinterest
LinkedIn