Let's Encrypt will revoke 3 million certificates on March 4 2020


Well-Known Member
Nov 3, 2006

Download affected certificate serials for 2020.02.29 CAA Rechecking Incident

  • Like
Reactions: cPanelLauren


Well-Known Member
Nov 3, 2006
Incident Status

Security Issue

[Identified] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke 2.6% of active Let’s Encrypt TLS/SSL certificates. We are in the process of notifying some Let's Encrypt users that their certificates will be revoked on 04 March 2020. Updates are available on our community forum community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool at https://checkhost.unboundtest.com/
  • Like
Reactions: cPanelLauren


Well-Known Member
Nov 18, 2004
I just received an email from Let's Encrypt about revocation of a certificate tomorrow. I am running an older version of cpanel (76) and one of the domains there is affected. I am not sure if this is an issue with all cpanel servers. Let's Encrypt are revoking 2.6% of all of their certificates (3 million).

Anyone know how to force cpanel to renew an AutoSSL certificate?

Here is the email that I got:
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:


Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you're not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.

If you are using Certbot, the command to renew is:

certbot renew --force-renewal

If you need help, please visit our community support forum:

Please search thoroughly for a solution before you post a new question. Let's
Encrypt staff will help our community try to answer unresolved questions as
quickly as possible.


Product Owner
Staff member
Nov 14, 2017
I combined the two threads here in relation to this issue.

In reference to the @ciao70's initial post and Let's Encrypt's announcements for certificate revocation, there are some things to be aware of:

For cPanel & WHM users using the Let's Encrypt Provider for AutoSSL

  • AutoSSL runs daily during maintenance and will detect certificates that have been revoked and reissue the certificates

  • If your certificate is affected and your AutoSSL run already occurred (update for the night has already happened) you can manually run AutoSSL using the instructions to force an AutoSSL run below

If you'd like to get a new certificate now you can do the following:

  • From WHM: go to WHM>>SSL/TLS>>Manage SSL Hosts -> Delete the affected certificate

  • From cPanel: go to cPanel>>Security>>SSL/TLS -> Manage SSL Sites -> Delete the affected certificate

  • From CLI: whmapi1 delete_ssl_vhost host=example.com

  • To force an AutoSSL run:
    • Code:
      /usr/local/cpanel/bin/autossl_check --all
    • From WHM: go to WHM > SSL/TLS > Manage AutoSSL and select 'Run AutoSSL For All Users'.

    • From cPanel: go to cPanel>>Security>>SSL/TLS Status -> Run AutoSSL

If you're experiencing issues after running the new AutoSSL check, please let us know and we'll be happy to help.
Last edited: