Earlier this week, Let's Encrypt developers warned that March 4, 2020 would be forced to revoke 3,048,289 certificates. It was a mistake in the Boulder management software, which is used to verify users and their domains before issuing certificates. A code error related to the implementation of CAA (Certificate Authority Authorization) appeared in the summer of 2019 and sometimes forced Boulder to ignore CAA verification. They planned to revoke all certificates before 19:00 on March 5 of the current year.
Now, representatives of Let's Encrypt reportthat according to their calculations, administrators would not have time to renew approximately one million certificates from among those affected by the problem in time.
The developers came to the conclusion that the idea of “breaking” so many sites and scaring their visitors can hardly be considered good. Therefore, it was decided to temporarily postpone the cancellation of approximately 1,300,000 certificates, while 1,706,505 certificates were reissued on March 4-5, 2020, as planned. Nevertheless, they promise to continue the revocation of some certificates, but only after specialists are convinced that this "will not be a useless violation of the peace of web users."
“Let's Encrypt only offers certificates with a lifetime of 90 days, so the affected certificates that we cannot revoke will leave the ecosystem relatively quickly,” the developers also note.