Let’s Encrypt is a free, automated, open certificate authority (CA) run for the public’s benefit as a service from the Internet Security Research Group (ISRG). It provides free digital certificates to enable HTTPS (SSL/TLS) for websites via user-friendly means.
Earlier this week, Let’s Encrypt announced that a bug in its validation code forced it to revoke more than 3 million certificates. The bug allowed subscribers (under specific circumstances and for a limited period) to issue certificates to a domain name even after the domain name holder explicitly prohibited the issuance of certificates through the use of DNS CAA.
This blog explains the implications of the incident. It provides details on the impact it can have on organizations utilizing Let’s Encrypt revoked certificates. It outlines steps for remediation and provides a link to Qualys CertView, a free tool that can be used to identify all affected certificates in users’ environments.
On Feb. 29, 2020 Let’s Encrypt detected the bug and then immediately halted new certificate issuance. The bug was fixed within a few hours of the discovery. Further investigation revealed that certificates issued since July 25, 2019 could have been issued without full domain control validation, which Let’s Encrypt enforces under normal circumstances. Let’s Encrypt then announced that starting March 4, 2020 it would revoke 3,048,289 certificates issued during that period. It planned to revoke all these by March 5, 2020. Let’s Encrypt notified organizations that may have been impacted via email alerts. It provided details on its blog and via FAQ posts. The CA also enabled an online tool where manual checks can be performed (See “Reference Sources” below).
Organizations with revoked Let’s Encrypt certificates still in place may experience a range of issues and disruptions. Visitors to their websites may get “revoked certificate” warnings and decide not to proceed. Automated systems that authenticate connections with other systems via a revoked certificate may fail to connect. Failed connections and warnings will impact availability, undermine user confidence, cause down time, and potentially inflict reputational damage.
Users who visit websites that are using these revoked certificates will encounter this window:
How Qualys Helps
Let’s Encrypt users need to take action. They should start by identifying any in-use certificates that have been issued since July 2019. Then, they need to remediate and replace them as quickly as possible.
Our customers can use Qualys CertView to gain visibility over all certificates in their environments. In order to see your affected certs, you can create a new widget in the dashboard using the query:
((issuer.organization: Let's Encrypt) AND (validFrom: [2019-07-25..2020-03-01]))
Alternatively, you can download this widget via the link below and import it into your Qualys CertView dashboard. It will quickly show you any Let’s Encrypt certificates that may be affected and might need replaced. The widget will also reveal exactly which hosts and ports the (now) revoked certificates are installed on. This gives customers the ability to go directly to those hosts to replace the certificates.
Download the CertView Dashboard widget.
Qualys CertView is available as a free service for your internet-facing certificates.
- Revoked cert serial numbers
- Let’s Encrypt Blog: Download affected certificate serials for 2020.02.29 CAA Rechecking Incident
- Certificate Replacement Query Tool
- Let’s Encrypt Twitter Thread
- Let’s Encrypt Community Q&Q
- Qualys Community Certificate Technical Resources