Sept. 30, 2021: Will we see trouble with old Let's Encrypt certificates?

[German]Do you run websites that are signed via Let's Encrypt certificates? Then there could possibly be problems on  September 30, 2021. This is because the root certificate used by Let's Encrypt to sign client certificates will lose its validity on this day (expiry of Intermediate R3 on 2021/09/29 at 19:21:40 GMT – the DST Root CA X3 expires on 2021/09/30 14:01:15 GMT). Clients that only know the old root certificates will not be able to verify Let's Encrypt server certificates after that. Addendum: We have seen issues.


Advertising

Let's Encrypt has published a list of affected products here. Below is an excerpt of the platforms that should still work.

Platforms that trust ISRG Root X1

Browsers (Chrome, Safari, Edge, Opera) generally trust the same root certificates as the operating system they are running on. Firefox is the exception: it has its own root store. Soon, new versions of Chrome will also have their own root store.

Platforms that trust DST Root CA X3

  • Windows >= XP SP3
  • macOS (most versions)
  • iOS (most versions)
  • Android >= v2.3.6
  • Mozilla Firefox >= v2.0
  • Ubuntu >= precise / 12.04
  • Debian >= squeeze / 6
  • Java 8 >= 8u101
  • Java 7 >= 7u111
  • NSS >= v3.11.9
  • Amazon FireOS (Silk Browser)
  • Cyanogen > v10
  • Jolla Sailfish OS > v1.1.2.16
  • Kindle > v3.4.1
  • Blackberry >= 10.3.3
  • PS4 game console with firmware >= 5.00

You may want to visit this 2015-2017 community forum discussion for more information about compatibility.

Known Incompatible

  • Blackberry < v10.3.3
  • Android < v2.3.6
  • Nintendo 3DS
  • Windows XP prior to SP3
    • cannot handle SHA-2 signed certificates
  • Java 7 < 7u111
  • Java 8 < 8u101
  • Windows Live Mail (2012 mail client, not webmail)
    • cannot handle certificates without a CRL
  • PS3 game console
  • PS4 game console with firmware < 5.00

Addendum: We have seen issues

German blog readers has left the feedback, that they run into issues. Sorting it out, there are several pitfalls.

  • Some users that has re-newed Let's Encrypt certificates within the last days still got certificates, that has been signed with the now outdates root certificates.
  • Some admin reported outdates Let's Encrypt certificates on IIS.
  • Some admin reported outdates Let's Encrypt certificates on Exchange.
  • And it seems that Sophos UTM is using a Let's Encrypt certificate, that blocks access to mail and web servers.

Some admins was facing the situation, that iOS 14/15 mail clients could not access the mail server. After re-newing the certificates on Exchange and/or Sophos UTM, the issue has been resolved.


Advertising

Addendum: I've written another blog post about that, see Let's Encrypt certificate trouble with Windows, Sophos UTM, macOS/iOS (2021/09/30).


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

21 Responses to Sept. 30, 2021: Will we see trouble with old Let's Encrypt certificates?

  1. Martin Bene says:

    There are issues with IIS; the certificates are actually OK, but when building the certificate chain it sends, it prefers the old and now expired R3 intermediate certificate.

    It keeps sending the expired intermediate certificate even after the actual expire date until the server is rebooted; this breaks Clients that don't provide intermediate certificates themselves (like iOS). Other clients (Windows) continue working just fine.

    * Renewing the certificates on the server causes the chains to be rebuild and fixes the issue
    * rebooting the server causes the chains to be rebuilt and also fixes the issue.
    * just issuing an iisreset does NOT fix the issue

    • guenni says:

      Thanks, that was what I read in the feedback from my German readers – haven't time yet to address it in a separate post.

      Post added – see Let's Encrypt certificate trouble with Windows, Sophos UTM, macOS/iOS (2021/09/30)

    • Irrelevant says:

      Panic googled as I suddenly couldn't access several of my set tabs in Chrome, and found this. Firefox still works, but I desperately need Chrome as an "add-on" browser, as FF is too heavy and freezes if having too much open simultaneously.

      I'm using WinXP SP3 and Google Chrome 49.0.2623.112, which can't be updated anymore. I need to keep this setup for work related reasons.

      PLEASE, please, can someone give me a step by step instruction (used to work w/ support, so know my way around somewhat) on how to fix this??

      Thanks in advance.

      • guenni says:

        Fear you beyond the edge! Windows XP is out of support since 2014 – don't know, if somebody is still using that thing. And it should not be used to connect to the interne – imho.

        If you use this machine for an inhouse solution without Internet connection, please contact a local IT supporter. Sorry for the answer – although others are free to comment how to delete the old certificates and add a new certificate.

        • john stone says:

          you should be sorry as that kind of comments are highest form of trash- produced mainly by people who has nothing valueable to say so they want to say trash of subzero value..people have reasons or will to use old systems and you better should respect that or be quiet

          • Irrelevant says:

            Thank you, mr Stone, for saving me the time and nuisance to have to respond to the above comment. I can only agree — which I also stated in my original post, guenni!

  2. john stone says:

    thenx much you saved me nerves…im siting on xp sp3 and lot of pages on chrome 49 stopped loading (error was saing i goit wrong time on clock set) … firefox run fortunatelly.. i set clock 2 days back to enter some pages on chrome too but it wouldnt work to muchh i guess… btw seen i got thius 'automatic root certificate updates' loaded so why it dont work on chrome? tnx anyway for clearing the error as it was frustrating as hell

    • Mustafa says:

      Same here, i was going mad, then i realized all the sites i have had problems with had the same issuer. I didn't know that so many sites are using that service.

    • Irrelevant says:

      Exactly the same here (although not savvy enough to know anything about automatic root certificate updates etc.) Mind sharing what you did, so maybe I too can get to Oct 2 (workaround for now is being on Sep 23 …)?

    • Irrelevant says:

      Check Solved's comment at the bottom. Just executed and resolved.

  3. Jean-François says:

    you can add Fortinet Firewall affected by this certificate expiration (rules with ssl inspection proxy-based)

  4. Advertising

  5. Irrelevant says:

    Why is my comment deleted, it's been deleted TWICE now?

    • guenni says:

      Because I'm moderating new comments. Won't see here SEO spam advertising cialis, cheap loan credits, cracked software and so on. I've approved your comment and deleted the double comment.

      • Irrelevant says:

        Thank you — I was wondering why my initial comment wasn't approved though. Ofc both this comment and the question above are now redundant as well.

  6. Pouya says:

    What is the solution to resolve the issue?

    • Irrelevant says:

      I believe it's to manually download and install a new, current certificate. Problem is, I don't know how to, however. HTHS!

  7. Jair Cueva Junior says:

    Ubuntu 16.04 doesnt recognizes at all.
    Tried to update the /etc/ssl/certs/ca-certificates.crt but no effect.
    The only thing that made it work was to update openssl package and then update curl pointing to the new openssl (all done by compiling method) to get the curl to work.
    wget still not working as its as pre-compiled with old openssl…
    Still wondering if it has something to do with this topic or just a coincidence.

  8. Toan says:

    Hi all,
    I suddenly couldn't visit several sites, including a shopify store for work, did several things on my machine – clearing caches, double-checking my computer clock, etc. to no avail. My system is Windows 7 and shouldn't be affected as suggested in the above list, yet it's still happening and I can't afford to switch platforms. Are there any steps I can take to resolve this?

    Desperately 😭😭😭😭😭

  9. Solved says:

    Solution for XP SP3 would be to download the new X1 certificate from letsencrypt.org and install it manually:

    – Temporary workaroud is setting your system time to a date before Sep 29th 2021

    – Open https://letsencrypt.org/certs/isrgrootx1.pem.txt in Firefox and then click File -> Save Page As
    – Open Chrome and type "chrome://settings" (without double quotes)
    – Scroll down and click "Advanced settings"
    – Scroll down even more and click the button under "HTTPS/SSL"
    – Click Import…, then select the textfile you downloaded in the first step

    • Irrelevant says:

      You've NO idea what a huge load you just took from my shoulders w/ this. Thanks SO much — works perfectly (AFA I've been able to judge so far)! I'll be sure to save, and share, these instructions where others may ask for them!

  10. Tim says:

    If anyone is having issues with their Windows IIS server certificate chain continuously finding the expired DST root cert instead of the ISRG cert, I've written a short guide to how I fixed this issue here: https://timstech.blog/?p=223
    Hope it can help someone :)

Leave a Reply

Your email address will not be published. Required fields are marked *