Preface: Certificates will begin being revoked at 3 PM EST. 4th Mar 2020

Security Focus: Due to design defect, Let’s Encrypt had to rush to inform users about the revocation the SSL server certification that’ll be completed in less than 24 hours. The SSL/TLS certificates will be revoke by tomorrow, March 4 (at 00:00 UTC at the earliest). Sites with revoked certificates may begin showing insecure icons in browser. Affected site publishers will have to reapply for a new certificate in order to regain secure status.

Official announcement: The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

To check if your domain is affected by this bug and needs to be renewed, you can use the tool at https://checkhost.unboundtest.com/.