Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software.
Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”
Nevertheless, affected certificate owners have been urged to renew and replace their certificate(s) so that their sites don’t end up showing this type of alert to visitors:
About the CAA rechecking bug
As explained by Let’s Encrypt engineer (and Senior Staff Technologist at EFF) Jacob Hoffman-Andrews, the software in question – named Boulder – checks for CAA records at the same time it validates a subscriber’s control of a domain name.
“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (…), so any domain name that was validated more than 8 hours ago requires rechecking,” he noted.
“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”
Of the 3 million+ certificates affected, about 1 million are duplicates of other affected certificates (i.e., they cover the same set of domain names).
Are you affected?
Let’s Encrypt, which is run by Internet Security Research Group (ISRG), has been emailing affected subscribers for whom they have contact information, but many might still not be aware of the situation. If they don’t manage to get a new, valid certificate in place before the revocation, visitors might end up losing trust in the safety of their websites.
The CA has provided a tool for checking whether one is using an affected certificate and additional instructions.
Security researcher Scott Helme has made available a list of affected domains.
UPDATE (March 6, 2020, 1:10 a.m. PT):
Josh Aas, the Executive Director of ISRG, the entity behind Let’s Encrypt, has announced that they have already replaced more than 1.7 million affected certificates, but that the replacement of the rest will go more slowly.
“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline [mandated by industry rules],” he noted.
“Let’s Encrypt only offers certificates with 90 day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly.”