On Friday, Jan. 6, we learned about a bug that impacted our SSL certification validation process. The bug was introduced on July 29, 2016, and impacted less than 2 percent of the certificates issued from July 29, 2016, to Jan. 10, 2017. It affected approximately 6,100 customers. The software bug that created the issue has been remedied. We continue to closely monitor the system. We will revoke these certificates at 9 p.m. (PST) Jan. 10, 2017. We are actively working with our customers to reissue their SSL certificates.
GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. The bug caused the domain validation process to fail in certain circumstances.
In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website. When their system searches and finds the code, the validation is complete.
However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found.
Instructions for affected GoDaddy SSL customers
For customers who were impacted, we have already submitted a new certificate request on your behalf at no additional cost. You simply need to log in to your GoDaddy account; once there, go to your SSL Panel and initiate the certificate process.
This process will be identical to the process you followed when your previous certificates were issued. The SSL Panel provides information and instructions that should allow you to easily process the certificate online. The time it takes for a new certificate to issue will vary depending on each customer’s circumstances, but please know we are working diligently to get all new certificates issued as quickly as possible.
We deeply apologize for the inconvenience to our customers.
Since 2004, we’ve issued nearly 10 million certificates. This is the first time we’ve experienced an issue of this nature, and although only a small fraction of our certificate customers were impacted, we take the impact seriously.
SSL bug FAQ
What is the specific problem with the SSL certificates, and has the problem been fixed?
Due to a software bug that GoDaddy inadvertently introduced during a routine code change intended to improve our certificate issuance process, the domain validation process for a small percentage of our recently issued certificates failed. In accordance with industry standards as a Certificate Authority, the potentially impacted certificates were revoked as a precautionary measure (effective 9 p.m. (PST) January 10). The software bug that created the issue has been remedied. We continue to closely monitor the system.
What does it mean for a website when its certificate is revoked? Will the website go offline?
The website will not go offline; it will continue to resolve, even though the certificate is revoked. Visitors to a website with a revoked certificate might see error messages and/or warnings, which are issued by the browser used by the website visitor (e.g., Chrome, Firefox, Safari, IE, etc.). However, if a new certificate is obtained and installed before the existing certificate is revoked, visitors to the website will not see any error messages/warnings.
How do impacted customers obtain a new certificate for their website, and how long will it take?
For impacted customers, we have already submitted a new certificate request on their behalf at no additional cost. Those impacted customers simply need to log in to their GoDaddy account at www.godaddy.com. Once there, go to the SSL Panel and initiate the certificate process.
This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.) The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.
The time it takes for a new certificate to issue will vary depending on the customer’s circumstances, but please know we are working diligently to get all new certificates issued as quickly as possible.
Does revocation of my certificate impact the security of visitors to my website?
Not in this case. Although the certificate has been revoked, and various browsers might issue a warning message, revocation of the certificate does not eliminate encryption and other security measures enabled by the certificate.
Was my website misused by an unknown third party?
We are unaware of any customer websites being misused as a result of the software bug.
How will I know when a new certificate has been issued?
We will send a notification to the customer via email.
What additional steps must a customer take after the new certificate is issued?
Customers whose websites are hosted at GoDaddy do not need to do anything once the new certificate is issued; GoDaddy will handle the installation of the new certificate on the customer’s website. However, those customers whose sites are hosted elsewhere will need to install the new certificate on their websites once they are notified it is available.