SSL Let’s Encrypt Revokes 3 Million Certificates Due to CAA Bug


TAZ Administrator
Feb 28, 2004

Imagine receiving a TLS warning on your browser every time you visit your website for 60 days straight. Definitely not an ideal situation and you would certainly want to avoid it at all costs, correct?

Let’s Encrypt SSL, a certificate authority run by the Internet Security Research Group (ISRG) and responsible for around 116 millions active SSL certificates, reported this weekend that they found a bug on their domain control validation process. As a result, they revoked around 3 million SSL certificates today.

To be precise, 2.6% of all active Let’s Encrypt SSL were revoked at 0:00 UTC, even if they were not expected to expire soon. Usually SSL certificates are valid for a year, but Let’s Encrypt SSL are only valid for 90 days. This helps decrease the amount of certificates that need to be revoked as they are more frequently renewed.

What is the impact of the Let’s Encrypt SSL bug?
To get an idea of the impact, Certbot, the most popular software used to issue Let’s Encrypt SSL certificates, only renews SSL certificates 30 days before the due date. That means if manual forced renew isn’t performed by an admin, the website could end up with a revoked SSL certificate for 60 days.

You may be asking yourself: who was affected? Will my website suffer with this issue? How do I proceed? We will get into that now.

What are the consequences of the Let’s Encrypt SSL bug?
To better understand the issue, you need to know about CAA records. A CAA record is a type of DNS record that is not as famous as A or CNAME records, but are vital for the SSL industry. That DNS record tells the certificate authority companies if they are allowed to issue a SSL certificate for a specific domain.

When you have to issue a SSL certificate, first the certificate authority will check the CAA records; then you are asked to prove that you own the domain. Most Let’s Encrypt users issue a SSL right after validating the domain control. However, Let’s Encrypt, as explained here, consider the domain validation good for 30 days and CAA records for 8 hours.

Say you want to issue a SSL for a domain 9 hours after the domain validation happened. You wouldn’t need to validate the domain again, but the CAA records would be queried to make sure that domain is allowed to have an SSL certificate issued by the certificate authority. Here comes the tricky part.

Mistaken SSL certificates for multiple domains?
Some SSL certificates can cover multiple domain names. The bug happens in this part. Instead of checking each domain name’s CAA records to verify which ones the SSL certificate covers, Let’s Encrypt SSL would check just one of the domain names, not all.

Once you passed the domain control validation, you would have a 30-days window to issue certificates without the CAA record being queried properly for all domain names before issuing the SSL certificate.
Since there is a possibility that Let’s Encrypt did issue SSL certificates they were not supposed to, they revoked all certificates that did not have a proper CAA re-checking, more specifically, 3.048.289 certificates.

If you want to make sure your domain is not affected, you can use the following website:

My SSL certificate was revoked, what do I do?
In this case you need to force the renewal process. It depends largely on the software you use to issue the SSL certificate. For Certbot users, running certbot renew –force-renewal on the command line is all you need to do. For cPanel users using AutoSSL, you need to delete the certificate from your cPanel account and then run AutoSSL so it triggers a new issue process.

Our general recommendation would be to contact your sysadmin or hosting provider so they can take care of this issue for you.

Are Sucuri customers affected?
Sucuri customers that rely on the SSL certificates issued by the WAF were not affected as we do not issue multi-domain SSL certificates and thus the CAA validation bug did not impact our SSL certificates.

However, if you manually uploaded a custom Let’s Encrypt multi-domain SSL into the Sucuri WAF, please check if your domain is not using a revoked SSL certificate. If you need any assistance, please submit a support ticket to our firewall team.


Jan 11, 2004
Interesting and tricky bug indeed. Scott Helme has article at as well

downloading Scott's crawled domains affected by CAA bug
wget -4
example of cpanel filtered domains and the ssl cert serial number in hex format
grep cpanel need-renewing.txt | tail -10,0340bf17bc6bf791cff9704d0b48f4f0b96e,04d2d3854d346a1a6c6f43a4e14ac91c9c02,036ab4fc5f6e8434c7cd84a89a3137c0bc33,031bb0355dfb09a1b589d4abd6180c710c2d,036d892579637b0198acb5d51b293396e8bc,0369dc7fa17cd9a739efc67435fe58beb9c4,032af9d52c506ef9111305852ec7665184ba,03386fa00b212134dbafc9793ac054dace79,03084954acaee675a15dd0b304f15810c4d0,0429b1be388ed7903ca6c36e8d599293023f
checking last domain on that filtered list
 curl -XPOST -d ''
The certificate currently available on needs renewal because it is affected by the Let's Encrypt CAA rechecking problem. Its serial number is 0429b1be388ed7903ca6c36e8d599293023f. See your ACME client documentation for instructions on how to renew a certificate.
my custom cert-check query for that domain which shows both ssl cert serial in decimal and hex formats
cert-check check|362636981809588565845614275771426799813183|Let's Encrypt|2020-05-20T19:41:17Z|["","","","","","","",""]|NA|HTTP/2|HTTP/1.1|429B1BE388ED7903CA6C36E8D599293023F
cert-check check | sed -e "s/|/\n/g"
Let's Encrypt
so that domain's SSL cert still hasn't been renewed as the hex format serial number is still the same and expiry date of ssl cert is older

Paul M

Limeade Addict
Jun 26, 2006
I have nine domains on my certificate so I ran them through the checker and all came back OK. :)


Migration Expert
Feb 20, 2007
I wonder if the hosts are doing this automatic on their end?

Generally, I would say no. Hosting packages tend to have a separate cert for each domain, so they aren't affected. Same with most other installs.


May 3, 2020
Also having same notification on 4 of my domain very annoying.
Last edited by a moderator: