Let’s Encrypt To Revoke 3 Million Certificates On March 4 Due To Software Bug


Let’s Encrypt has announced that it will have to revoke over 3 million Let’s Encrypt TLS/SSL certificates from March 4 due to a bug it discovered in its backend’s code. As of now, the company is working on to reach every affected by email to notify about this effect so that they can update their certificates.

The bug impacted Boulder, the server software the Let’s Encrypt project uses to verify users and their domains before issuing a TLS certificate. The bug impacted the implementation of the CAA (Certificate Authority Authorization) specification inside Boulder.

In the email sent to the affected users, Let’s Encrypt says: 

“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you’re not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate. Your ACME client documentation should explain how to renew.”

Let’s Encrypt engineers said that of the 116 million TLS certificates that are currently active, only 2.6% are impacted by this issue, representing 3,048,289 certificates. Out of these 3 million, one million are duplicates for the same domain/subdomain, putting the actual number of impacted certs at around 2 million.

In case, if you use Let’s Encrypt certificates, you can use this tool to find out whether you’ll need to update your certificates or not. In case, if you found that you need to update your certificates, you can reach out to the forums or you can read the advisory from Let’s Encrypt. If you have any questions related to this case, you can seek help in the forums or can head to the “Help” section on the Let’s Encrypt forum and ask the questions in the template as you compose your post.

The certificate revocations will begin from 00:00 UTC on March 4. So, if you are a Let’s Encrypt user, do check their forum from the link given above to check whether you have to take any actions on that or not.

For the latest tech news and updates, Install TechCodex App and follow us on Google NewsFacebook, and Twitter. Also, if you like our efforts, consider sharing this story with your friends, this will encourage us to bring more exciting updates for you.

Via Via

Get real time updates directly on you device, subscribe now.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More