Security News > 2020 > March > Bug Forces Let's Encrypt to Revoke 3 Million Certificates
Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code.
Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.
3,048,289 currently-valid certificates were found to be affected - this represents 2.6% of the approximately 116 million overall active Let's Encrypt certificates - with 1 million of them being duplicates of other affected certificates.
"Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates," Let's Encrypt explains.
The CA will begin revocation of the affected certificates on March 4, at 20:00 UTC, and aims to complete the process by March 5, 03:00 UTC. Let's Encrypt says it is informing affected subscribers of the issue via email, where contact information is available.