Let’s encrypt to revoke 3 million certificates… or not
Only about a month ago we reported about a big recall of certificates organised by Sectigo. They would be revoking about 6000 certificates, mostly owned by Dutch companies. They gave a 6-day notice.
Let’s encrypt just responded with “hold my beer”, announcing to revoke 3 million certificates with only a 5-day notice.
On the last day of February, a bug was found and fixed which could have caused certificates to be issued while one of the verifications was out-dated. Before a certificate can be issued, you have to proof you manage the domain name or webhosting. This check was always carried out correctly. But a second check also verifies if a so-called “CAA” record is set on the domain name. If it is, then only the certificate authorities listed in that record may issue a certificate. Let’s Encrypt would not check the CAA-record for every single certificate, but remembered the previous information for up to 30 days.
Because this was not completely correct according to the rules of the CA/B forum (the organisation setting the very strict rules for certificate authorities), they announced all certificates for which the CAA-record had been verified more than 8 hours before the certificate was issued, would be revoked. About 2,6% of all certificates issued by Let’s Encrypt were affected. That’s about 3 million certificates which would be revoked within only 5 days after the announcement.
All users had very little time to take action and to request a new certificate. On the dead-line only about half of them had gotten their certificate re-issued. Last-minute Let’s Encrypt decided that revocation wasn’t so urgent after all and only revoked certificates for which a new certificate had already been requested.
Both with Sectigo as with Let’s Encrypt, a reasonably small bug was at the cause of the revocations. The chance of actual harm was very small. It’s hard not to assume that Let’s Encrypt has the flexibility not to revoke within the initial dead-line because the two most influential member of the CA/B forum (Mozilla/Firefox and Google/Chrome) are also listed as some of the biggest sponsors of Let’s Encrypt.