“Let’s Encrypt”, a non-profit organization that has helped millions of users and companies around the world to obtain their HTTPS certificate for their website in a convenient (and above all free) way, warns that in the next days will withdraw up to two million certificates due to a software error.
In an article they have published on their corporate blog, they explain that last Tuesday, a user reported “two irregularities” in the code that implements the “TLS Using ALPN” validation method (BRs 3.2.2.4.20, RFC 8737) in Boulder, its automatic certificate management software.
From here, the company explains that “all active certificates that were issued and validated with the TLS-ALPN-01 challenge before 0048 UTC on January 26, 2022, are considered erroneously issued.” What does this translate to? In that during the next five days, the company will revoke the permission to these two million certificates that are considered to be affected by this vulnerability.
However, the organization estimates that less than 1% of active certificates are affected, so although the total number is large, the chances that yours is among those revoked are small; It is calculated, in fact, that at the moment the organization has more than 220 million active certificates that continue to function normally.
In any case, the company also ensures that the holders of the problematic certificates will be notified of said revocation by email, providing them with precise instructions on the steps to be taken next.
