Over Three Million Certificates From Let’s Encrypt Need To Be Revoked Due To Software Bug

Well this isn’t good. The free SSL certificate provider Let’s Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let’s Encrypt uses. Here’s the key points from the FAQ that I linked to. Starting with the number of certificates affected:

2.6%. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names.

And here’s when the revocation will take place:

In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread. 

And finally, here’s how to tell if you’re affected:

Here is an online tool that will show you: https://checkhost.unboundtest.com/ 9.4k

Or, on a Linux/BSD-like system, this command will show you example.com‘s current certificate serial number:

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

You can see the list of all affected serial numbers at: https://letsencrypt.org/caaproblem/ 

To be clear, this is not trivial as if you don’t take action, whatever uses an affected certificate will either stop working or not work properly. Thus if you use certificates from this provider, you need to check to see if they are affected. And if they are, you need to take action. Thus if that’s you, I would read the FAQ and go forward from here.

Leave a Reply

%d bloggers like this: