Over 3 million Let’s Encrypt SSL certificates are being revoked due to CAA Rechecking Bug

Written 3 months ago by IanDorfman

Due to a bug discovered at the end of February, the staff behind free SSL certificate provider Let's Encrypt will have to revoke over 3 million active certificates.

The problem lies within Small Let's Encrypt iconLet's Encrypt's Certification Authority Authorization (CAA) code that allowed issuing of a certificate for a domain name even if that domain had CAA records installed to prohibit SSL certificate issuance by Let's Encrypt. This gave the previous owner of a domain 30 days to create a certificate for something they no longer owned, an inherent privacy risk.

According to an official post by Let's Encrypt development staff, 3,048,289 out of a total of around 116 million active certificates were impacted by this bug. 1 million out of these 3 million are duplicates because of the most commonly affected certificates being ones that are reissued frequently.

If you're using Let's Encrypt SSL/TLS certificates to certify the security of your website, you can see if you're impacted by this issue using an online tool located at checkhost.unboundtest.com. A list of every impacted certificate can be found by going to letsencrypt.org/caaproblem/.

Further coverage:
Let's Encrypt Community Support thread