Lets Encrypt Calls Three Million Security Certificates – Impact Critical
If you have taken Free SSL certificate from Lets Encrypt then your website is under critical situation, you need to fix it right now.
Company sent the email notification to users.
“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.
If you’re not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate. Your ACME client documentation should explain how to renew.
If you are using Certbot, the command to renew is:
certbot renew --force-renewal "
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time.
On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. The company CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but they consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §126.96.36.199), so any domain name that was validated more than 8 hours ago requires rechecking.
What is the Bug?
When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
Lets Encrypt confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.
Company preliminary investigation suggests the bug was introduced on 2019-07-25, and it will conduct a more detailed investigation and provide a postmortem when it is complete.
“Due to the 2020.02.29 CAA Rechecking Bug 6.4k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information.
This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, please make a new post to the “Help” category, filling in the questions in the template that appears as you compose your post.
Que. How many certificates are affected?
Ans- 2.6 percent. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names.
Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates.
Que. When will the revocations start?
Ans- In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, They are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST). Please do continue to renew and replace affected certificates in the meantime. If there are any changes to this start time, updates will be provided in this thread.
Que. How do I know if I’m using an affected certificate?
Ans- Here you can check online- https://checkhost.unboundtest.com/, if your website is affected or not?