Let's Encrypt reverses threat to revoke digital certificates affected by bug following renewal frenzy

Let’s Encrypt claims that 1.7 million affected digital certificates have been renewed since Saturday

Let's Encrypt, the non-profit group that provides digital certificates to secure millions of websites, has revoked its threat to revoke three million certificates affected by a bug in its code following a renewal frenzy.

Some 1.7 million certificates have been renewed since the warning over the weekend, leaving just over a million more to be renewed. The organisation therefore decided to reverse its threat to revoke the certificates. Revocation would have meant that visitors to affected websites would receive security warnings or could even be blocked by their web browsers.

However, Josh Aas, executive director at the Internet Security Research Group (ISRG), which runs Let's Encrypt, announced a reversal overnight to give websites more time to renew their certificates.

In a posting to the Let's Encrypt community forums, he said that the drastic plan had been largely successful in pushing users to renew their certificates.

"After learning about and remediating a bug in our Certificate Authority Authorization (CAA) checking code… we announced that we would be revoking approximately 2.6 per cent of our active certificates that were potentially affected by the bug, totalling approximately three million certificates.

"We announced the plan to revoke because even though the vast majority of the certificates in question do not pose a security risk, industry rules require that we revoke certificates not issued in full compliance with specific standards. These rules exist for good reasons. We work hard to comply with them and have an excellent track record for doing so.

"Since that announcement we have worked with subscribers around the world to replace affected certificates as quickly as possible. More than 1.7 million affected certificates have been replaced in less than 48 hours. We'd like to thank everyone who helped with the effort. Our focus on automation has allowed us, and our subscribers, to make great progress in a short amount of time. We've also learned a lot about how we can do even better in the future.

"Unfortunately, we believe it's likely that more than one million certificates will not be replaced before the compliance deadline for revocation... Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the internet for us to not revoke those certificates by the deadline."

Let's Encrypt only offers certificates with 90 day lifetimes, he concluded, so the remaining affected digital certificates should be shaken out of the system within a couple of months.

As Computing reported earlier this week, the bug was caused due to an error in the way the Go code of the software ‘iterated over' the domain names. As a result, when the software iterated over, for example, 10 domains names for CAA rechecking, it would verify one domain name 10 times instead of checking each domain once.

The bug was discovered on Saturday, 29th February 2020 and a fix for it was deployed the same day. Of the three million affected certificates, about one million are duplicates for the same domain/subdomain, meaning that around two million certificates were affected by the bug.