Security News > 2022 > January > Alert: Let's Encrypt to revoke about 2 million HTTPS certificates in two days

Alert: Let's Encrypt to revoke about 2 million HTTPS certificates in two days
2022-01-26 21:26

Let's Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates for websites, plans to revoke a non-trivial number of its certs on Friday because they were improperly issued.

In a post to the Let's Encrypt discussion community forum, site reliability engineer Jillian Tessa explained that on Tuesday, a third party reported "Two irregularities" in the code implementing the "TLS Using ALPN" validation method in Boulder, its Automatic Certificate Management Environment software.

"In compliance with the Let's Encrypt CP , we have 5-days to revoke and will begin to revoke certificates at 1600 UTC on 28 January 2022.".

Let's Encrypt estimates that less than one per cent of active certificates are affected; this is still a large number - about two million, according to a spokesperson - given that there are currently about 221 million active Let's Encrypt-issued certificates.

"The update to the TLS-ALPN-01 challenge type was made to be in compliance with the Baseline Requirements, which requires use of TLS 1.2 or higher," a spokesperson for Let's Encrypt told The Register in an email.

Certificate verification attempts using TLS 1.1 or the discontinued OID will fail under the revised software; those certificates verified via TLS-ALPN-01 under the old code fail to comply with Let's Encrypt policy and thus need to be reissued.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/26/lets_encrypt_certificates/