Let’s Encrypt revokes three million certificates due to bug

Let’s Encrypt will revoke three million tls/ssl certificates on Wednesday due to a bug. This concerns 2.6 percent of the active certificates. Users whose company has contact information will receive an email.

Due to the bug discovered on February 29, Let’s Encrypt can no longer verify the authenticity of many certificates. The company describes the flaw on a page, stating that the bug was likely active since July 25 last year.

Let’s Encrypt will revoke the affected certificates from Wednesday. This concerns more than three million certificates and according to the organization this is 2.6 percent of the total number of active certificates, which currently stands at 116 million. Website owners must renew the certificate. If their email address is known to Let’s Encrypt, they will be notified.

However, providing an email address is optional when requesting a Let’s Encrypt certificate. That is why the organization has put a tool online that allows admins to check whether certificates are affected by the bug. There is also a complete list online with all the serial numbers of the certificates that will be revoked.