Following the its recent CAA vulnerability, Let's Encrypt has decided that it will not replace one million of its affected domain certificates.
The flaw was introduced in July 2019 and resulted in an improper recheck related to subscribers’ control of domain names. Due to the bug, Let’s Encrypt could have issued certificates for domain names even if Certification Authority Authorization (CAA) records installed for that domain within the previous 30 days forbade it.
The CA addressed the issue in its CAA checking code immediately after learning of its existence, on February 28. Several days later, it revealed that approximately 2.6% of its active certificates were impacted, and that it would revoke them all by March 5.
A total of 3,048,289 certificates were supposed to be revoked, but Let’s Encrypt ultimately decided to leave 1 million of them unreplaced at this time.