Let’s Encrypt have announced that due to a bug in their ca software – Boulder – they will be revoking over 3 million issued SSL certificates by 2020-03-05 03:00 UTC.
The bug manifests itself when validating N domains. Instead of verifying each domain once it would verify one domain N times. This is clearly severe as it would mean that anyone could issue valid SSL certificates for any hostname such as google.com, bankofamerica.com, etc.
What is Let’s Encrypt?
Let’s Encrypt is a game changer for SSL certificate delivery, formed in 2014, that allows for the automated issuing of relatively short-lived SSL certificates automatically and free of charge. By automating the validation of the csr, Let’s Encrypt allows developers to roll out tls certificates without needing to spend hundreds of dollars with a traditional ca.
What should I do if I’m affected?
If you’re affected you will have received an email from Let’s Encrypt with further instructions. Luckily, as Let’s Encrypt certificates are only valid for 90 days anyway, you should already have an automated mechanism for easily replacing your certificates across your infrastructure. You’ll just need to re-run this and watch out for any validation messages that were succeeding before (due to the bug) and may no longer be working.
Test an SSL certificate online to check your issuer.