Let’s Encrypt revoked about 2.7 million mis-issued SSL certificates

A few days ago, Certificate Authority Let’s Encrypt announced it would need to revoke nearly two million SSL certificates due to improper issuance. 

Specifically, the problem concerned an error made in the code that implemented one of their validation methods. Because of this irregularity in the code, the certificates issued did not comply with certificate issuance requirements. 

The issue was announced in the Let’s Encrypt discussion forum on January 26th. The post explained that on January 25th, a third party had informed the CA about the issue that specifically affected their TLS-ALPN-01 challenge validation method. The issue was subsequently fixed by the CA, but any certificates validated and issued before that fix was implemented were considered mis-issued. Because of this, the post then went on to explain, they would have to revoke the affected certificates by January 30th. 

On the same day, Let’s Encrypt notified affected users by email that they would begin revoking SSLs validated by TLS-ALPN-01 challenge that were issued in the previous 90 days. They were urged to renew their certificates ASAP to continue having secure communications.

Let’s Encrypt estimated that this would impact about 1% of their issued SSLs. While this was still about 2.7 million SSL certificates (nothing to sniff at!) the TLS-ALPN-01 is utilized by a rather niche subset of users. Developed after TLS-SNI-01 was deprecated for not being secure enough, TLS-ALPN-01 isn’t considered suitable for most users as not all clients are capable of using the challenge type and it is mainly used by large hosting providers. You can read more about the challenge here, but the main takeaway is that most regular users won’t have been impacted by the revocation. 


Whether or not this issue impacted you, it underscores the importance of keeping up-to-date with news from your SSL provider. Always renew your SSL when notified, whether it’s because your SSL is due to expire or there’s a larger problem with the CA. For anyone still unsure if this revocation impacted them, you can find out by following the instructions outlined in this thread.

Share on Twitter, Facebook, Google+