Notifying users of revoked Let's Encrypt certificates

The team at Let's Encrypt, the free certificate authority, has identified an issue that might have lead to unauthorized certificate issuance.

Because it's hard to determine which sites have been abused, they have no other choice but to revoke all certificates that may have been maliciously issued.

The result is a massive 3,048,289 certificates that will be revoked within the next 24 hours.

We've just finished alerting all our users that are affected by this. In total, 2.3% of the domains that are monitored by Oh Dear were scheduled for revocation tomorrow.

Each owner has been notified so they can, hopefully, renew their certificates in advance.

Normally we would use Certificate Revocation Lists for this. Unfortunately, once a certificate has been added to a Certificate Revocation List, it's already too late and browsers will already block that certificate from being trusted.

In this case, we had the opportunity to be proactive. The team at Let's Encrypt has released a list of all certificate serial numbers that are due to be revoced. We parsed this list, found all our clients with the same serial number and notified them all.

We're happy to have been of assistance to our clients, even on such short notice. We hope everyone is able to renew their certificates in time to prevent any downtime.

If you have a website that's running on HTTPS, this incident has shown why you need a proper monitoring solution. Don't hesitate and try out Oh Dear.