Let’s Encrypt revokes 3 million certificates

Let’s Encrypt communicated on March 2 2020 that they will revoke a part of their certificates [1]. CAUTION: the certificates will be revoked from March 4 2020 0:00 UTC onwards. The certificates that will be revoked have been issued BEFORE February 29 2020 03:10 UTC. According to Let’s Encrypt about 3 million certificates will be revoked, of in total 116 million active certificates [2]. The reason for this revocation is a bug found in their CA software [3].

Websites using certificates that will be revoked will show a notification of an invalid certificate. This means that the user will see this notification and possibly will not trust the website. These certificates might be used in other processes within your organization besides websites. NCSC-NL has observed Dutch domains who use affected Let’s Encrypt certificates. It is likely that a substantial number of Dutch domains are affected.

What to do?

  • Check where in your organization Let’s Encrypt certificates are used.

  • We advise organizations to conduct two checks:

  • 1: check the file caa-rechecking-incident-affected-serials.txt.gz if certificates of your organization are present in the list. See link [4]

  • 2: test your domains on https://unboundtest.com/caaproblem.html to check if the certificates will be revoked [5]

  • Each organization with affected certificates is advised to renew these certificates AS SOON AS POSSIBLE.

  • CAUTION: a certificate renewal has to be FORCED on the affected system (certbot renew --force-renewal) [2]

[1] https://letsencrypt.org/caaproblem/

[2] https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

[3] https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

[4] https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz

[5] https://unboundtest.com/caaproblem.html