Let’s Encrypt, the most popular free certificate signing authority is going to invalidate more than 3 million TLS certificates within the next few hours. The reason why that happens is that they were wrongfully issued due to a Certificate Authority software bug.
Our friends at Bunnyshell, Cloud Management & Automation Platform are kind enough to explain a little bit the situation and to offer some advice on how to stay safe during this time.
The bug was confirmed on February 29 and was fixed two hours after discovery. This changed how the domain name ownership was checked before issuing new TLS certificates.
Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.