A Massive Jolt: Let’s Encrypt Is Revoking 3 Million SSL Certificates
Without Checking CAA Field of the Requesting Domain, Let’s Encrypt Issued 3,048,289 SSL/TLS Certificates
Precisely, the bug has impacted the CAA implementation specification, which is inside Boulder: the server software used by Let’s Encrypt project for verifying users and the domains before the issuance of SSL/TLS certificate. Another significant impact is an announcement that came upon suddenly, which barely gave time to their users.
Ultimately, this move of Let’s Encrypt means, millions of machine identities and websites that rely upon Let’s Encrypt certificate like you or other users for protecting their sensitive data flow will be looked upon as insecure and in some cases, it may even be rendered unavailable, and the worst is users won’t be aware of it.
Many Let’s Encrypt certificate users got the revocation notification on Tuesday, and 24 hours were given for resolving the issue.
We’re a bit late in covering this news, and it’s possible you might have already read it somewhere. But, if you haven’t and you’re reading about it for the first time, then you might be questioning certain things such as why this revocation is taking place? What does it mean for the users of Let’s Encrypt? What to do if you’re among those whose certificate has been affected?
No worries, we’ll cover all of it along with some other important ones. Just go through this article and get your questions answered.
Let’s get into it.
Major Revocation of Let’s Encrypt SSL/TLS Certificates
Also, the same has been explained by the Let’s Encrypt engineer through special FAQ page, made for this incident: ” Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates”.
What to Do if Your Let’s Encrypt SSL Certificate Has Been Impacted?
Also, it’s recommended that you check your mail because they’ve notified the domain owners by email who have been impacted by this bug, though all users have not listed a valid contact method. So, it’s obvious many might not receive it.
“On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §184.108.40.206), so any domain name that was validated more than 8 hours ago requires rechecking.
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”
In case you haven’t received any email, then you need to verify CAA (Certificate Authority Authorization) records, to know whether you’ve been impacted or not.
What’s the Importance of CAA Records in the Issuance Process of SSL/TLS Certificate?
- If there’s a CAA record, then the only listed CA(s) are allowed to issue an SSL/TLS certificate for a particular domain.
- If there’s no CAA record, it means any CA has the right to issue an SSL/TLS certificate for any domain.
Here’s Why Revocation of Let’s Encrypt SSL/TLS Certificate Is Different
Let’s know why.
Everyone Are Not Notified They Are Affected
However, they have also posted the link of the tool on their Let’s Encrypt forum through which you can know whether your SSL certificate has been affected. And, it can even be an indication of the big issue coming further for Let’s Encrypt users, which can prove costly to the affected organization too. And, as per the Ponemon Institute and KeyFactor, it has been estimated that unexpected certificate outages can cost more than $11 million.
Let’s Encrypt Certificate Subscribers Have Limited Support
Using Let’s Encrypt SSL/TLS Certificate – Here’s What You Should Do
Check Your Installed Let’s Encrypt SSL/TLS Certificates
Or else, you can also go to this online tool, and if you’re using Linux or system such as BSD, simply run the below command into the interface.
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
However, clients who’re using ACME for renewing their certificates, they have to refer their documentation related to SSL/TLS certificate renewal process. And, if you’re using Certbot, use below command:
certbot renew --force-renewal
Also, if you’re using cPanel for managing and installing your Let’s Encrypt SSL certificates, then simply go through regular renewal steps and renew it.