Let’s Encrypt is a non-profit certification agency headquartered in California. Since its inception in 2015, the company has issued hundreds of millions of digital certificates to hundreds of millions of websites. It has indeed provided convenient services in enhancing the security of the Internet. . But its IdentTrust’s DST Root X3 root certificate expired on September 30, and many companies are still experiencing problems despite long notice to customers. Well-known companies such as Bluecoat, Palo Alto Networks, Cisco, Guardian Firewall, Google Cloud, Fortinet, Cloudflare, Facebook, Sophos, cPanel and AWS could all be affected.
When it first started issuing certificates, Let’s cross-signed encrypted its own ISRG Root X1 certificate with the old one (IdentTrust’s DST Root X3) to ensure its certificate would be instantly trusted by almost all devices. After years of operation, Let’s Encrypt’s ISRG Root X1 certificate is now trusted by most devices, and the company also started notifying users a year ago that the DST Root X3 certificate would expire on September 30, 2021.
These certificates are built into your operating system and are usually updated during the normal process of updating your operating system. The certificate that is causing the problem here is this, IdenTrust DST Root CA X3.
Let’s Encrypt has been warning service providers and developers that they may need to take action to prevent any disruption after September 30, but it appears that certificate expirations are still causing problems for many.
What are the risks of an expired CA certificate?
According to Anxin Certificate, a domestic certificate certification agency, an expired CA certificate exposes its website users to various forms of network-based security risks. This could be a man-in-the-middle attack, packet sniffing, theft of private information, etc. When any of this happens, your website business suffers quite a bit because no one trusts a website that cannot protect customer data.
In addition to opening the floodgates for security risks, it lowers SEO rankings, leading to lost traffic, data theft, and loss of online reputation. Moreover, many mainstream browsers (such as Chrome, Firefox, etc.) will issue security warnings to websites without valid CA certificates, which greatly reduces the customer experience.
Also, not updating the SSL may put you (the website owner) in conflict with existing laws and regulations. Data security and privacy laws around the world require website owners to protect the best interests of their users or customers.
Who will be affected by the expiration of Let’s Encrypt’s root certificate?
British security researcher Scott Helme was one of the first experts to focus on the issue. On September 20, 2021, Hulme wrote an article predicting that “something may fall apart.” It seems that he is not unfounded.
According to Helme, when the DST Root X3 certificate expires, many major organizations appear to be experiencing some issues, including Bluecoat, Palo Alto Networks, Cisco, Catchpoint, Guardian Firewall, Monday.com, Cerb, OPNsense, Google Cloud, OVH, Auth0, Shopify, Xero, Fastly, Fortinet, Heroku, InstaPage, Cloudflare, MailGun, Facebook, Sophos, cPanel, AWS and DigitalOcean. It’s worth noting that not all of these organizations have confirmed being affected, and in some cases, the issues appear to be related to the use of third-party services.
Hulme said many companies restored affected services shortly after the problem arose. However, devices running older operating systems that haven’t received an update in years may continue to experience issues — if they don’t receive an OS update, they also don’t receive a new certificate, such as Let’s Encrypt’s ISRG Root X1.
Older devices that don’t trust ISRG Root X1 may get a certificate warning when visiting a website that uses a Let’s Encrypt certificate.
Helm approved in his article that the following clients will break after the expiration of the IdenTrust DST Root CA X3.
OpenSSL <= 1.0.2
Windows < XP SP3
macOS < 10.12.1
iOS < 10 (iPhone 5 is the minimum model that can be upgraded to iOS 10)
Android < 7.1.1 (but >= 2.3.6 will work if ISRG Root X1 cross-signature is provided)
Mozilla Firefox < 50
Ubuntu < 16.04
Debian < 8
Java 8 < 8u141
Java 7 < 7u151
NSS < 3.26
Amazon FireOS (Silk browser)
What can Let’s Encrypt do?
As Helm said, the problem doesn’t happen because of what Let’s Encrypt did or didn’t do, but because all certificates expire eventually, and if devices aren’t updated then they don’t receive a new replacement certificate . That said, Let’s Encrypt isn’t sitting idle as the expiration date approaches, they’ve been working hard to find a solution.
Back in April 2019, Hulme wrote the Let’s Encrypt company construction drawings to transition to the ISRG root certificate, when Let’s Encrypt planned to move from the IdenTrust root to their own root – ISRG root X1, which will be available in June 2035. Expires on the 4th, which gives users quite a while. The problem is, not many devices have received the necessary updates, including this new ISRG root X1, which in fact was released in 2015. If a large number of devices don’t receive an update that includes this new root certificate, they won’t trust it. This is basically the same problem I’m having now with expired IdenTrust root certificates because client devices haven’t updated and they haven’t received a new ISRG root X1.
Shortly after the root certificate expired, Let’s Encrypt reported seeing more certificate renewals than usual, noting that it may take longer for customers to obtain a certificate. Users experiencing issues due to expired certificates have been directed to the Let’s Encrypt community forum. Related issues are currently being discussed in a community dedicated to the company.