Let's Encrypt Root Certificate Expired: What You Need to Know

Let’s Encrypt Root Certificate Expiration and Potential Impacts

A significant event occurred this week with the expiration of a root certificate utilized by Let’s Encrypt, a prominent provider of HTTPS certificates. This expiration may necessitate updates on certain devices to maintain uninterrupted functionality.

The Role of Let’s Encrypt and HTTPS Certificates

Let’s Encrypt is a non-profit organization offering free certificates that secure the connections between your devices and the internet. These certificates prevent data interception and theft during transmission. Millions of websites currently depend on Let’s Encrypt for this crucial security layer.

Security researcher Scott Helme previously alerted users to the impending expiration of the IdentTrust DST Root CA X3 certificate, which occurred on September 30th. Following this date, systems – including computers, devices, and web browsers – may no longer recognize certificates issued by this authority.

Impact on Users

The vast majority of internet users will likely experience no disruption. However, older devices could encounter problems, similar to those experienced when the AddTrust External CA Root certificate expired in May.

Outages were reported by companies like Stripe, Red Hat, and Roku as a consequence of the previous expiration, and Helme anticipates potentially wider issues due to the larger scale of Let’s Encrypt.

Which Devices Are Most Vulnerable?

Devices that receive infrequent updates are most at risk. This includes embedded systems designed without automatic updates, and smartphones running outdated software versions.

Specifically, users with older versions of macOS (2016 and earlier), Windows XP (with Service Pack 3), or clients utilizing OpenSSL 1.0.2 or older may face difficulties. Older PlayStation consoles without updated firmware are also potentially affected.

Android and the ISRG Root X1 Certificate

Android devices have historically faced challenges with operating system updates. However, Let’s Encrypt has implemented a workaround to mitigate the impact of the expiration.

The organization transitioned to its own ISRG Root X1 certificate, which remains valid until 2035. While older Android versions (Nougat 7.1.1 and earlier) initially didn’t trust this certificate, a cross-signature was obtained, providing continued functionality for most Android devices for at least three more years.

Let’s Encrypt recommends that users with Android (Lollipop) 5.0 install the Firefox browser, as it includes its own independently maintained list of trusted root certificates.

Recommendations and Mitigation

For Android phones, the built-in browser relies on the operating system’s certificate list, which is often outdated. Firefox offers a solution by shipping with its own current list.

Having issued over two billion certificates since its founding in 2014, Let’s Encrypt advises users to assess the number of clients utilizing affected OpenSSL versions and older operating systems.

For those unable to upgrade, Let’s Encrypt suggests exploring the possibility of serving a certificate chain that incorporates their new cross-signed certificate.

Originally published on September 21st and updated following the root certificate’s expiration.