The bug was discovered in Boulder, the Let's Encrypt server software used to verify users and users. domain before issuing a TLS certificate.
More specifically, it affects the CAA (Authorization Authority Authorization) standard within Boulder. CAA is a standard security, by which domain owners can prevent Certification Authorities (CAs) from issuing certificates for their own domains.
All Certification Authorities - such as Let's Encrypt - must abide by the CAA standard, or face severe penalties from browser manufacturers.
However on Saturday, February 29, as reported in a forum, Let's Encrypt revealed that a bug in Boulder ignored the CAA standard.
Let's Encrypt team fixed it error on Saturday, after two hours of processing and now Boulder is verifying the CAA fields before issuing new certificates. It is very unlikely that someone took advantage of this error, the team said.
However, Let's Encrypt has announced that it is recalling everything today certificates issued without appropriate CAA controls, in accordance with industry rules, as dictated by the CA / B forum.
Only 3 of the 116 million certificates were revoked
According to Let's Encrypt, only 2,6% of certificates are affected by this error, representing 3,048,289 certificates.
Of those 3 million, one million are copies for the same domain / subdomain, setting the actual number of certificates affected to approximately 2 million.
After revocation, all affected certificates will cause browsers and other errors applications. So domain owners will need to request a new TLS certificate to replace the old one.