Let’s Encrypt root certificate expiration warning: Update before Sep 30
2 min readLet’s Encrypt root certificate expiration warning, please update in time before September 30
Let’s Encrypt root certificate expiration warning: Update before Sep 30
Security researcher Scott Helme warned that Let’s Encrypt, one of the world’s largest HTTPs certificate providers, will soon deactivate the old version of the root certificate (Root CA) next week.
This means that millions of websites that rely on it must be updated in time before September 30, or they will face the trouble of not being trusted by computers, devices or web browsers.
(Picture from: Scott Helme )
It is reported that, as a non-profit organization, Let’s Encrypt is committed to promoting the encryption of equipment and Internet data communications by issuing certificates to ensure that information is not intercepted and stolen by third parties.
However, the IdentTrust DST Root CA X3 root certificate currently used by Let’s Encrypt will expire next week. For most website visitors, September 30 may be a calm day.
But for older devices, there may still be some problems-just like the root certificate expiration interruption encountered by AddTrust External CA Root in May this year, Stripe, Red Hat, and Roku are all affected.
Scott Helme wrote in a blog post: “Considering the size difference between Let’s Encrypt and AddTrust, I have a hunch that when the IdenTrust root certificate expires, history will repeat itself and may even cause more problems.”
Of course, potentially vulnerable, mainly those less equipment is updated regularly – such as embedded systems, or run software version years ago, smart phones .
(Picture from: Let’s Encrypt )
For example, users of devices running macOS 2016 and Windows XP SP3 may be in trouble after the end of the month. Client platforms that rely on OpenSSL 1.0.2 or earlier may also be affected. In addition, there are old PlayStation game consoles that have not been upgraded to the new version of the firmware.
In view of the long-standing and well-known problems in the Android ecosystem, in order to prevent most smartphones from being affected by this incident, Let’s Encrypt has transitioned to its own ISRG Root X1 certificate earlier this year (expiration time is 2035) .
Although devices including Android 7.1.1 (Nougat) and earlier do not trust it, Let’s Encrypt is able to cross-sign a self-issued certificate so that most Android devices can avoid being affected in the next three years.
But if you still want to install Firefox on Android 5.0 (Lollipop), it is best to plan for migration to the new platform as soon as possible.
Finally, since its establishment in 2014, as of early September 2021, Let’s Encrypt has issued a total of more than 2 billion certificates.
