The non-profit certificate authority, Let's Encrypt has revoked over 3 million TLS certificates that were issued incorrectly due to a bug in its Certificate Authority software.
While the non-profit outfit provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge and the certificate valid for 90 days, during which renewal can take place. Let's Encrypt announced on February 29 about a bug on its software, which was fixed few hours after discovery; it impacted the way it checked the domain ownership before issuing new TLS certificates.
The effect is that the bug could open up a possibility where a certificate is issued without adequately validating the holder's actual control of a domain name.
What percentage of Let's Encrypt Users are Affected?
Given the fact that Let's Encrypt considers domain validation good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing the domain before re-issuing the certificate, thus the bug was introduced as part of July 2019 update.
And Let's Encrypt claims about 2.6 per cent of approximately 116 million active certificates are affected by the bug, which is around 3,048,289 websites, out of which about a million are duplicates of affected certificates.
The bug was uncovered in the code for Boulder, the certificate signing software used by Let's Encrypt.
How to Check if Your Website runs on Affected TLS Certificates
The revocation of all impacted certificates by Let's Encrypt means that website administrators will have to perform a forced renewal to prevent interruptions to their website security.
Let's Encrypt has made available a downloadable list of affected serial numbers, which will allow users to check if their websites rely on an affected certificate. Also, there is a tool available here to check if your website certificate needs replacement.
Additionally, It's worth to note that the certificates issued by Let's Encrypt are valid for only 90 days, though ACME clients are capable of automatically renewing them. But the affected sites will need manual renewal and replacement of their certificates, failing which visitors to the sites will be greeted with TLS security warnings!