Let's Encrypt to revoke "mis-issued" certificates

Let’s Encrypt to revoke “mis-issued” certificates

If you use a Let’s Encrypt SSL/TLS certificate, you may wish to check your account over the coming days. Revocation is coming, and you’ve only got until tomorrow to figure things out.

What’s the deal with free certificates?

If you’re running a website, you want to make sure that it’s HTTPs. It means the visitor’s connection to the site is secure, and snoopers can’t see what they’re doing. This is good for you and most definitely good for them. Browsers typically let you know the site is secure by displaying a padlock in your URL bar.

It used to be fairly expensive to get your hands on a HTTPs certificate, and for years there were problems with using custom domains on certain services. Try as you might, certificates simply wouldn’t work in some cases.

It’s a lot easier these days, and a lot cheaper too. How cheap? Well, free can definitely be considered cheap.

There’s quite a few providers out there offering free HTTPs, and this is a good thing. The onset of mass free HTTPS certificates has, interestingly, meant a few tweaks being applied to infosec advice realms. For example, many organisations now point out that the free certs boom means a rise in phishing sites using HTTPs, so you mustn’t let your guard down. Even so, having more sites with HTTPs than without is a baseline we should be striving for.

What’s happened with Let’s Encrypt?

Emails started landing in customer mailboxes the past few days, like so:

The mail reads as follows:

Please immediately renew your TLS certificate(s) that were issued from Let’s Encrypt using the TLS-ALPN-01 validation method.

We’ve determined that an error made it possible for TLS-ALPN-01 challenges, completed before today, to not comply with certificate issuance requirements. We have remediated this problem and will revoke all unexpired certificates that used this validation method at 16:00 UTC on 28 January 2022. Please renew your certificates now to ensure an uninterrupted experience for your site visitors.

At the same time, the Let’s Encrypt team posted up an initial notification about what had taken place.

At 16:48 UTC on Tuesday Jan 25, 2022, a third party informed Let’s Encrypt / ISRG that, while examining the Boulder codebase, they had noticed two instances of specification non-compliance in our implementation of the “TLS Using ALPN” validation method.

All active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued. In compliance with the Let’s Encrypt CP, we have 5-days to revoke and will begin to revoke certificates at 16:00 UTC on 28 January 2022. We estimate <1% of active certificates are affected.

It’s worth highlighting that you may be affected even if you don’t have a valid mail address on file. They also have a longer thread complete with questions and answers in the comments section.

The numbers game

They mention that fewer than 1% of active certificates are affected. However, Bleeping Computer has done some digging into numbers and the impact may still be pretty big. According to their statistics, active certificates “surpassed 221 million” as of November 2021 so 1% of that is not to be laughed at.

Users of free SSL services are typically used to ongoing notifications about problems and issues. With any luck, they’ll be just as prepared for this one. That being said, if you use the service mentioned above and this is the first you’ve heard about it, you may wish to get a move on and dig into the issue sooner rather than later.

The clock is most definitely ticking, and you’ve only got one more day to get your certificate affairs in order.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.