On Thursday, March 4 2020, Let’s Encrypt will revoke more than 3 million TLS certificates due to a flaw discovered in its backend code The error affected Boulder, the Let’s Encrypt project server app that verifies users and their domains before a TLS certificate is released. The error influenced the application of the Boulder CAA (Certificate Authority) specification. CAA is a protection requirement authorised in 2017 that enables domain owners to stop certificate authorities (CAs) granting certificates for their domains. Domain owners can attach a “CAA field to the DNS records for their domain, and a certificate from TLS can only be provided for the CAA field. The CAA Specification must be implemented by the letter of the law, or the Certificate Authorities must pay fines from application creators. The Let’s Encrypt community revealed in a forum post on Saturday, February 29 that a flaw in Boulder missed CAA checking. The squad Let’s Encrypt explains: Last Saturday, Let’s Encrypt team fixed the problem during a 2-hour maintenance period, so Boulder now reviews CAA fields correctly until issuing new certificates. It is very doubtful that anybody used this flaw, the project said. Nevertheless, the Let’s Encrypt project has today announced that all certificates given without adequate CAA tests had been withdrawn according to industry regulations established by the CA / B Website. Encrypt engineers said only 2.6% of 116 million TLS certificates currently active are impacted by this issue, accounting for nearly for 3,048,289 certs. Out of these 3 million, one million are duplicates for the same domain/subdomain, and about 2 million are impacted. Let’s Encrypt aims tomorrow to remove all of the licenses affected beginning at 00:00 UTC on March 4, 2020.
