Let’s Encrypt announced that there is a bug that has affected over 3 million websites using their Let’s Encrypt security certificate. Let’s Encrypt is revoking over 3 million affected certificates on March 4, 2020.

Sites that have revoked certificates might start displaying insecure icons in browser, which could result in less traffic and less sales. Publishers where are affected by this bug will have to reapply for a new certificate in order to regain secure status.

Let’s Encrypt warned customers that it will revoke security certificates on March 4, 2020:

“Due to the 2020.02.29 CAA Rechecking Bug 5.6k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates.”

Certificates will begin being revoked at 3 PM EST.

This bug is affecting 2.6% of publishers who rely on Let’s Encrypt for their security certificate. This means that over 3 million sites are affected.

Emails have been sent to all publishers that were affected in this way.

Even if you haven’t received an email, there’s still a chance that you might be affected since the notice may not have been delivered for all the usual reasons. Make sure you check your spam folder, just in case.

There is a way to check – the following web pages has a diagnostic tool that will identify if yours is one of the affected sites:

https://checkhost.unboundtest.com

Alternatively, you can download a list of all affected URLs here.

If your site is affected, this is the warning the tool will give to you:

According to the Let’s Encrypt announcement:

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.

What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.”

SourceRoger Montti