{"id":21553,"date":"2021-09-30T00:01:00","date_gmt":"2021-09-29T22:01:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=21553"},"modified":"2023-05-12T06:34:10","modified_gmt":"2023-05-12T04:34:10","slug":"sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/09\/30\/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates\/","title":{"rendered":"Sept. 30, 2021: Will we see trouble with old Let's Encrypt certificates?"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Stop - Pixabay\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/06\/Stop01.jpg\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/?p=258134\" target=\"_blank\" rel=\"noopener\">German<\/a>]Do you run websites that are signed via Let's Encrypt certificates? Then there could possibly be problems on\u00a0 September 30, 2021. This is because the root certificate used by Let's Encrypt to sign client certificates will lose its validity on this day (expiry of Intermediate R3 on 2021\/09\/29 at 19:21:40 GMT &#8211; the DST Root CA X3 expires on 2021\/09\/30 14:01:15 GMT). Clients that only know the old root certificates will not be able to verify Let's Encrypt server certificates after that. <strong>Addendum:<\/strong> We have seen issues.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg08.met.vgwort.de\/na\/14764b3b5d434582ba480da46aab2d54\" alt=\"\" width=\"1\" height=\"1\" \/>Let's Encrypt has published a list of affected products <a href=\"https:\/\/letsencrypt.org\/docs\/certificate-compatibility\/\" target=\"_blank\" rel=\"noopener\">here<\/a>. Below is an excerpt of the platforms that should still work.<\/p>\n<h3>Platforms that trust ISRG Root X1<\/h3>\n<ul>\n<li>Windows &gt;= XP SP3 (assuming Automatic Root Certificate Update isn't manually disabled)<\/li>\n<li><a href=\"https:\/\/twitter.com\/letsencrypt\/status\/790960929504497665?lang=en\" target=\"_blank\" rel=\"noopener\">macOS &gt;= 10.12.1<\/a><\/li>\n<li><a href=\"https:\/\/support.apple.com\/en-us\/HT207177\" target=\"_blank\" rel=\"noopener\">iOS &gt;= 10<\/a> (<a href=\"https:\/\/support.apple.com\/en-us\/HT205205\">iOS 9 does not include it<\/a>)<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/IPhone_5\" target=\"_blank\" rel=\"noopener\">iPhone 5 and above can upgrade to iOS 10<\/a> and can thus trust ISRG Root X1<\/li>\n<li><a href=\"https:\/\/android.googlesource.com\/platform\/system\/ca-certificates\/+\/android-7.1.1_r15\" target=\"_blank\" rel=\"noopener\">Android &gt;= 7.1.1<\/a> (but Android &gt;= 2.3.6 will work by default <a href=\"https:\/\/letsencrypt.org\/2020\/12\/21\/extending-android-compatibility.html\" target=\"_blank\" rel=\"noopener\">due to our special cross-sign<\/a>)<\/li>\n<li><a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1204656\" target=\"_blank\" rel=\"noopener\">Mozilla Firefox &gt;= 50.0<\/a><\/li>\n<li><a href=\"https:\/\/web.archive.org\/web\/20210923021024\/https:\/\/packages.ubuntu.com\/xenial\/all\/ca-certificates\/filelist\" target=\"_blank\" rel=\"noopener\">Ubuntu &gt;= xenial \/ 16.04<\/a> (with updates applied)<\/li>\n<li><a href=\"https:\/\/packages.debian.org\/jessie\/all\/ca-certificates\/filelist\" target=\"_blank\" rel=\"noopener\">Debian &gt;= jessie \/ 8<\/a> (with updates applied)<\/li>\n<li><a href=\"https:\/\/www.oracle.com\/java\/technologies\/javase\/8u141-relnotes.html\" target=\"_blank\" rel=\"noopener\">Java 8 &gt;= 8u141<\/a><\/li>\n<li><a href=\"https:\/\/www.oracle.com\/java\/technologies\/javase\/7u151-relnotes.html\" target=\"_blank\" rel=\"noopener\">Java 7 &gt;= 7u151<\/a><\/li>\n<li><a href=\"https:\/\/web.archive.org\/web\/20211207014436\/https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Projects\/NSS\/NSS_3.26_release_notes\" target=\"_blank\" rel=\"noopener\">NSS &gt;= 3.26<\/a><\/li>\n<\/ul>\n<p>Browsers (Chrome, Safari, Edge, Opera) generally trust the same root certificates as the operating system they are running on. Firefox is the exception: it has its own root store. Soon, new versions of Chrome will <a href=\"https:\/\/www.chromium.org\/Home\/chromium-security\/root-ca-policy\">also have their own root store<\/a>.<\/p>\n<h3>Platforms that trust DST Root CA X3<\/h3>\n<ul>\n<li>Windows &gt;= XP SP3<\/li>\n<li>macOS (most versions)<\/li>\n<li>iOS (most versions)<\/li>\n<li><a href=\"https:\/\/twitter.com\/Tutancagamon\/status\/600783165087752192\" target=\"_blank\" rel=\"noopener\">Android &gt;= v2.3.6<\/a><\/li>\n<li>Mozilla Firefox &gt;= v2.0<\/li>\n<li>Ubuntu &gt;= precise \/ 12.04<\/li>\n<li><a href=\"https:\/\/twitter.com\/TokenScandi\/status\/600806080684359680\" target=\"_blank\" rel=\"noopener\">Debian &gt;= squeeze \/ 6<\/a><\/li>\n<li>Java 8 &gt;= 8u101<\/li>\n<li>Java 7 &gt;= 7u111<\/li>\n<li>NSS &gt;= v3.11.9<\/li>\n<li>Amazon FireOS (Silk Browser)<\/li>\n<li>Cyanogen &gt; v10<\/li>\n<li>Jolla Sailfish OS &gt; v1.1.2.16<\/li>\n<li>Kindle &gt; v3.4.1<\/li>\n<li>Blackberry &gt;= 10.3.3<\/li>\n<li>PS4 game console with firmware &gt;= 5.00<\/li>\n<\/ul>\n<p>You may want to visit <a href=\"https:\/\/community.letsencrypt.org\/t\/which-browsers-and-operating-systems-support-lets-encrypt\/\" target=\"_blank\" rel=\"noopener\">this 2015-2017 community forum discussion<\/a> for more information about compatibility.<\/p>\n<h3>Known Incompatible<\/h3>\n<ul>\n<li>Blackberry &lt; v10.3.3<\/li>\n<li>Android &lt; v2.3.6<\/li>\n<li>Nintendo 3DS<\/li>\n<li>Windows XP prior to SP3\n<ul>\n<li>cannot handle SHA-2 signed certificates<\/li>\n<\/ul>\n<\/li>\n<li>Java 7 &lt; 7u111<\/li>\n<li>Java 8 &lt; 8u101<\/li>\n<li>Windows Live Mail (2012 mail client, not webmail)\n<ul>\n<li>cannot handle certificates without a CRL<\/li>\n<\/ul>\n<\/li>\n<li>PS3 game console<\/li>\n<li>PS4 game console with firmware &lt; 5.00<\/li>\n<\/ul>\n<h2>Addendum: We have seen issues<\/h2>\n<p>German blog readers has left the feedback, that they run into issues. Sorting it out, there are several pitfalls.<\/p>\n<ul>\n<li>Some users that has re-newed Let's Encrypt certificates within the last days still got certificates, that has been signed with the now outdates root certificates.<\/li>\n<li>Some admin reported outdates Let's Encrypt certificates on IIS.<\/li>\n<li>Some admin reported outdates Let's Encrypt certificates on Exchange.<\/li>\n<li>And it seems that Sophos UTM is using a Let's Encrypt certificate, that blocks access to mail and web servers.<\/li>\n<\/ul>\n<p>Some admins was facing the situation, that iOS 14\/15 mail clients could not access the mail server. After re-newing the certificates on Exchange and\/or Sophos UTM, the issue has been resolved.<\/p>\n<p><strong>Addendum:<\/strong> I've written another blog post about that, see\u00a0<a href=\"https:\/\/borncity.com\/win\/2021\/09\/30\/lets-encrypt-zertifikate-rger-mit-windows-sophos-utm-macos-ios-30-9-2021\/\" rel=\"bookmark\">Let's Encrypt certificate trouble with Windows, Sophos UTM, macOS\/iOS (2021\/09\/30)<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Do you run websites that are signed via Let's Encrypt certificates? Then there could possibly be problems on\u00a0 September 30, 2021. This is because the root certificate used by Let's Encrypt to sign client certificates will lose its validity on &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/09\/30\/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-21553","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=21553"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21553\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=21553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=21553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=21553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}