Due to the software bug, Let’s Encrypt will revoke around 3 millions of certification today. The software bug that been discovered on their backend’s code will impact the Certificate Authority Authorization (CAA) check that resides within Boulder.
For those who are not familiar with CAA, CAA is a security standard and policy that been approved around 2017. This normally allows the domain user to prevent Certificate Authorities from issues their certification on the domain user CA.
The “Let’s Encrypt” Team have explained about the bug as follow
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
Let’s Encrypt Team has made cautious procedures where any certificate that went through a proper CAA check will be revoked. This action will follow industry standards and rules.
All System Administrator and Web Developer will need to check their certificate if they are using Let’s Encrypt certificate whether their certificate been included within the impacted certificate listing. They can check their certificate over here if the certificate will need to replaced with the other certificate.
On 27 Feb 2020, Let’s Encrypt project team has stated on their blog that they issued its billionth free TLS certificate. However, while taking everything into account that the project has free certificates given where the user might likely to look into the other way due to the recent incident.