The Let's Encrypt certification authority was forced to revoke more than 3 million Transport Layer Security (TLS) certificates due to a problem in their domain validation and issuance software.

The free TLS certificates from the Let's Encrypt certification authority come in handy. Developed since 2014 by EFF with the support of Mozilla, these certificates are offered free of charge and allow you to benefit the data encryption service between servers and applications connected to the Internet. Recently, this organization reports having secured nearly 190 million websites and issuing more than a billion certificates.

Unfortunately, the latest news concerning this certification authority is less encouraging, Let's Encrypt having been forced to revoke more than 3.04 million TLS certificates, or 2.6% of all Let's Encrypt certificates amounting to almost 116 million. In an email sent to all its users, Let's Encrypt informs of the bug encountered as well as the procedure to follow in order to correct this problem.

3 Million Let's Encrypt TLS Certificates Revoked Due to a Bug

The problem is the discovery of a bug in the validation and domain issuance software of the certification authority on February 29, 2020. "On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours before issuance, so any domain name that was validated more than 8 hours ago requires rechecking." said Let's Encrypt.


Let's Encrypt uses Certificate Authority software named Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each domain.

According to the initial investigations by Let's Encrypt, the bug dates back to July 25, 2019. The first revocations of certificates affected by this problem have been revoked since March 4, 2020 at 09:00 PM (EST). System administrators and webmasters who are currently using Let's Encrypt certificates for their networks and servers can check a list of impacted TLS certificate serial numbers on this page, or they can visit the following website and check to see if their certificate was impacted by entering their certificate's domain name.