We have been notified that one of our suppliers of a recently discovered a bug in the Let’s Encrypt certificate authority code, described here and covered by BBC News on their website today, 4th March.
Unfortunately, this means we need to replace the certificates that were affected by this bug, which includes a number of certificates issued between January 28th and February 29th. To avoid disruption, we will renew and replace any affected certificate(s) on Wednesday, March 4, 2020.
We sincerely apologise for the issue and would like to assure you that at no time has information on your website been compromised or accessed by unauthorised parties because of this bug.
Either myself (Chris G.) or Dan H. from our customer success team will contact affected customers to confirm when their certificates have been replaced.
Frequently asked questions from Let’s Encrypt
Let’s Encrypt (www.letsencrypt.org) is the organisation that supply us with SSL certificates used on the majority of our customer websites.
2.6%. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names.
Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates.
In order to complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST).
You don’t need to take any action if the certificate was issued as part of your O’Brien Media hosting service. We will reissue the certificate for you.
Please contact support requesting your certificate files, this request will be escalated and a member of the network management team will contact you to provide your certificate files.