This Friday (January 28, 2022), non-profit organization Let’s Encrypt plans to revoke approximately two million SSL/TLS certificates because they were not issued correctly.
In a white paper, Let’s Encrypt engineer Jillian Tessa explained that on January 25, a third party reported to the organization two problems ( 1 , 2 ) in the implementation code for the “TLS over ALPN” verification method (BRs 220.127.116.11.20, RFC 8737) in Boulder, software for ACME (Automatic Certificate Management Environment).
“All active certificates that were issued and verified with TLS-ALPN-01 before 00:48 UTC on January 26, 2022, when our patch was deployed, are considered incorrectly issued,” writes Tessa. “In accordance with Let’s Encrypt CP [Certificate Policy], we have five days to revoke certificates, and we will begin revoking them at 16:00 UTC on January 28, 2022.”
The organization estimates that less than one percent of active certificates are affected by the issue. However, this is still a huge number – about two million certificates, since there are currently about 221 million certificates issued by Let’s Encrypt in the world.
Anyone affected by this issue will receive email notifications and will need to renew their certificate.