Let's Encrypt to revoke three million digital certificates TODAY due to bug in its certificate authority code

Bug was discovered on 29th February. The certificates will be revoked today

The Let's Encrypt project is to revoke more than three million digital certificates today after discovering a bug in its certificate authority code.

Let's Encrypt is run by the Internet Security Research Group (ISRG), a non-profit organisation, with support from various major tech firms, including Facebook, Cisco, and Google. The project issued its billionth certificate just last month.

"We recently discovered a bug in the Let's Encrypt certificate authority code," waarned ISRG in an email to clients. "Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates.

"To avoid disruption, you'll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue."

Digital certificates are created to ensure secured and encrypted communication between devices and websites. They are issued by certificate authorities, who electronically verify that the certificates are genuine.

According to ISRG, the bug found in certificate authority code affects the Boulder server software, which is used to verify users and their web domains before issuing them a certificate.

Boulder verifies the Certificate Authority Authorization (CAA) records to make sure that a Let's Encrypt user controls the domain name for which they are requesting the HTTPS certificate.

The bug is caused due to an error in the way the Go code of the software iterated over the domain names. As a result, when the software iterated over, for example, 10 domains names for CAA rechecking, it would verify one domain name 10 times instead of checking each domain once.

The bug was discovered on Saturday, 29^th February 2020 and a fix for it was deployed the same day. However, it still leaves three million digital certificates (out of a total of 116 million certificates) that need to be revoked.

Of the three million certificates, about one million are duplicates for the same domain/subdomain, meaning that roughly two million certificates are affected by the bug.

Affected certificate owners have been asked to renew their certificates by 00:00 UTC 4^th March.

Visitors to affected websites that fail to renew their certificates will see warnings telling them that the website is not safe to use.

There are currently no reports of the bug being exploited by any hacking group, the project said.