SSL Certificate

Let’s Encrypt CAA bug: Let’s Encrypt revokes 3,048,289 certificates

Ivailo Shankov Let's Encrypt, News, SSL March 4, 2020

Have you heard about the Let’s Encrypt CAA bug?

Starting from 20:00 UTC on 4 of March 2020, Let’s Encrypt will revoke around 2.6% (3,048,289) of the issued certificates due to CAA bug they discovered on Feb 29.

What does this mean in reality?

Revoking the certificate means it will become invalid, thus a website with invalidated certificate will start showing SSL/TLS validation errors and warnings to the browser clients.

The TLS warnings will prevent normal work with the affected websites until the new certificate is requested and issued in place.

How do I check if my website is affected?

Let’s Encrypt have published a file with a list of serial numbers of CCA bug affected SSL certificates

Option1:
Unboundtest.com has an online test that automates the verification process. All you need to do is to provide your domain name here: https://checkhost.unboundtest.com/

Option 2:

  1. Obtain your Let’s Encrypt SSL certificate serial number
  2. Load your website in a browser
  3. Obtain the SSL serial number
    1. Chrome users:
      • Click on the padlock in the address bar which is located right in front of your domain name
      • Click on the Certificate (Valid) menu option. Certificate window will appear
      • Click on the Details tab
      • Navigate and click over your domain within the Certificate Hierarchy tree
      • Click on the Serial Number within the Certificate Fields frame
      • The Field Value frame contains your SSL Serial Number, copy that
    2. Firefox users:
      1. Click on the padlock in the address bar which is located right in front of your domain name
      2. Click on the “Show connection details arrow”
      3. Click on the “More Information”
      4. Click on the View Certificate button
      5. The Serial Number value is visible within the Serial Number field (Miscellaneous section) of the Certificate
  4. Check if the serial number you obtained within the previous step is present within the file

The CAA Let’s Encrypt bug has affected my website. What should I do?

All you need to do is to renew your current Let’s Encrypt certificate. Ideally, you should request the renewal before your current certificate gets revoked. This way your website customers aren’t going to experience any issues with TLS invalid warnings and etc.

No worries If you haven’t had the time to renew it before the revocation – you can do this ASAP at any time after that

The Let’s Encrypt CAA bug has affected my certificate. How do I renew it?

  • Follow those instructions in case you host your website by yourself
  • If you are hosting your website with Hosting Company or other Service Provide then call your Website Hosting company and ask them to renew your Let’s Encrypt SSL certificate.

Tags:
  • Be Sociable and Share:

Leave a Reply

Your email address will not be published. Required fields are marked *