Let’s Encrypt to revoke 3 million certificates on March 4 due to software bug
On Wednesday, March 4, the Let’s Encrypt project plans to revoke more than 3 million TLS certificates after it discovered a bug hidden within its backend’s code. The bug impacted Let’s Encrypt server software, called Boulder, that the company uses to verify users and their domains before they issue a certificate. The code flaw impacted the Certificate Authority Authorization (CAA) specification inside Boulder.
Let’s Encrypt, which is a Certificate Authority, must follow specific CAA guidelines by law, otherwise facing steep penalties. In a post made on Saturday, Let’s Encrypt disclosed that the bug in Boulder ignored CAA checks, stating that although they patched the bug on Saturday, the organization plans to revoke all certificates that were issued while the bug was in effect.