Infrastructure Briefing — Let’s Encrypt mass certificate revocation for CAA bug

Let’s Encrypt disclosed a Certificate Authority Authorization (CAA) rechecking bug that violated issuance rules for roughly three million certificates. The CA announced mass revocation beginning March 4, 2020, requiring site operators to replace affected TLS certificates to avoid outages.

Zeph Tech Research Lead

Research lead, Zeph Tech

2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Let’s Encrypt found its CAA validation code skipped required rechecks before issuing roughly three million TLS certificates. To maintain compliance with CA/Browser Forum rules, the CA announced it would revoke and replace the affected certificates starting March 4, 2020.

Why it matters

Service continuity: Unreplaced certificates would trigger browser errors and break production services when revoked.
Automation dependence: Many operators rely on unattended ACME renewals; manual intervention was required to replace affected certs before revocation.
Governance: Highlights the need for monitoring CA incident disclosures even when using automated certificate management.

Operator actions

Identify impact: Use Let’s Encrypt’s published ACME client logs or the serial-number check tool to flag certificates issued between February 29 and March 3, 2020.
Replace certificates: Reissue and deploy new TLS certificates for all affected domains before revocation deadlines.
Validate automation: Confirm ACME clients correctly perform CAA rechecks and alert on CA incident bulletins.

Timeline plotting source publication cadence sized by credibility. — 2 publication timestamps supporting this briefing. Source data (JSON)

Horizontal bar chart of credibility scores per cited source. — Credibility scores for every source cited in this briefing. Source data (JSON)

Visit pillar hub

Latest guides

Edge Resilience Infrastructure Guide — Zeph Tech
Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented by Zeph Tech.
Infrastructure Resilience Guide — Zeph Tech
Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered by Zeph Tech.
Infrastructure Sustainability Reporting Guide — Zeph Tech
Produce audit-ready infrastructure sustainability disclosures aligned with CSRD, IFRS S2, and sector-specific benchmarks curated by Zeph Tech.

Why it matters

Operator actions

Related briefings

Infrastructure Briefing — August 22, 2024

Android March 2020 security bulletin ships critical fixes

Microsoft March 2020 Patch Tuesday fixes 115 vulnerabilities

Apache Tomcat AJP vulnerability (CVE-2020-1938 'Ghostcat') patched

Microsoft Defender ATP for Linux enters public preview

Continue in the Infrastructure pillar

Latest guides