Let’s Encrypt, the non-profit certificate authority, recently found a bug in their Boulder software that is causing over three million TLS certificates to be revoked. The bug was causing certificates to not be validated correctly by the Certificate Authority Authorization (CAA). This is believed to have happened due to a domain that was on a multi-domain certificate being checked multiple times instead of all the domains on the certificate being checked once. The total amount of certificates being revoked is about 2.6 percent of 116 million active certificates. Let’s Encrypt has sent emails to those who need to renew their certificates.
Users can visit https://checkhost.unboundtest.com/ to check if their domain is affected by the bug. If affected, users will see a message that looks like the following “The certificate currently available on [hostname] needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is [serial number]. See your ACME client documentation for instructions on how to renew a certificate.” A help document for users having issues can be found at https://community.letsencrypt.org/t/renewal-redirect-help/114963/6.