On the 30th September 2021, the root certificate that all Let’s Encrypt SSL certificates are based on, namely the “IdentTrust DST Root CA X3” certificated, expired.
What this means is that if any of your online services use a Let’s Encrypt SSL certificate then there is a chance that some devices will no longer be able to connect to your online service(s).
To be more specific, if you are using a Let’s Encrypt SSL certificate you likely now have an incomplete SSL chain, meaning some older operating systems and other software will reject all connections to your web service(s) because they can no longer be trusted.
Affected Clients
Whether or not you will experience any disruptions depends on the software and/or operating system you use when connecting to a Let’s Encrypt SSL secured web service.
Android in particular is insistent on completely valid SSL certificate chains, so you should expect some problems there.
Below is a list of all currently known clients affected by the expiry of the “IdentTrust DST Root CA X3” certificate:
- OpenSSL <= 1.0.2
- Windows < XP SP3
- macOS < 10.12.1
- iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
- Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
- Newer Android versions may also have problems (depends on manufacturer)
What this means is that if you, for example, have an external web service that you connect to directly from within the app, while using an Android device and your external web service relies on the now-expired Lets Encrypt SSL chain, then the operating system *may* see all connections to your web service as not trusted and reject them.
Regenerate Your SSL Certificate
Given that the root LetsEncrypt certificate has expired, you must regenerate your SSL certificate and install the fresh cert on the target server hosting your external web service.
The fresh certificate from LetsEncrypt will reference a non-expired root cert, meaning there should be no further issues for most affected devices attempting to connect to your external web services.
Resolving Issues With Older Devices
1. Android devices
- Upgrade your devices to use Android version 7.1.1 or newer.
2. iOS devices
- Upgrade your devices to use iOS version 10 or newer,
3. Windows devices
- Run Windows system updates and ensure you have all the latest updates installed.
- Consider trying to update OpenSSL on your computer if running Windows updates didn’t work, see here for more info: https://openssl-library.org/post/2021-09-13-letsencryptrootcertexpire/
Platform (WaaS) SSL Certificates
Our official advice for purchasing WaaS SSL certificates is to buy them from Comodo, so you do not have to worry about anything here unless you are using a Lets Encrypt certificate for your WaaS, in combination with an affected client/device as listed above.
The same possible solutions as explained above applies here as well.
More Information
Some helpful external resources that may help you in case you require more information: