Over 3 million Let’s Encrypt SSL certificates are being revoked due to CAA Rechecking Bug
Due to a bug discovered at the end of February, the staff behind free SSL certificate provider Let's Encrypt will have to revoke over 3 million active certificates.
The problem lies within Let's Encrypt's Certification Authority Authorization (CAA) code that allowed issuing of a certificate for a domain name even if that domain had CAA records installed to prohibit SSL certificate issuance by Let's Encrypt. This gave the previous owner of a domain 30 days to create a certificate for something they no longer owned, an inherent privacy risk.
According to an official post by Let's Encrypt development staff, 3,048,289 out of a total of around 116 million active certificates were impacted by this bug. 1 million out of these 3 million are duplicates because of the most commonly affected certificates being ones that are reissued frequently.
If you're using Let's Encrypt SSL/TLS certificates to certify the security of your website, you can see if you're impacted by this issue using an online tool located at checkhost.unboundtest.com. A list of every impacted certificate can be found by going to letsencrypt.org/caaproblem/.
Further coverage: Let's Encrypt Community Support thread
- Free • Open Source
- Self-Hosted
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.