Let’s Encrypt root certificate expiry causes issues for users

Many website owners with SSL certificates issued by Let’s Encrypt faced outages over the past few days. This is due to the expiration of its IdenTrust DST Root CA X3 cross-signed root certificate. Although this root certificate has been replaced by one called ISRG Root X1, many users are still encountering service issues, particularly business owners and their customers. So those worst hit include not only website owners using legacy servers and older devices, but also hosting service companies that failed to update their software, leaving their customers and users without service. 

What’s the issue? 

To understand the issue, it’s first necessary to understand what root certificates are and the SSL certificate chain of trust. As an everyday example, the chain of trust is how web browsers determine whether or not a website’s SSL certificate is trustworthy and has been issued by a legitimate Certificate Authority (CA). When you receive your SSL certificate from a legitimate CA, they will sign it with a digital signature. All signatures should lead back to the CA’s root certificate, which essentially identifies who the CA is and that the signature is legitimate.

So, when a client (such as a web browser) assesses your SSL certificate, it will cross-check your SSL certificate and its signature against its trust (also known as root) storage. The trust storage is basically a collection of root certificates of all the CAs that the browser knows to trust. Beyond browsers, most digital devices and operating systems have their own trust storage too.

As you can imagine, when a root certificate expires, SSL certificates signed by that root will no longer be trusted by certain devices and web browsers, rendering those certificates invalid. This means that secure HTTPS connections will be lost.

Why isn’t everyone affected?

Current devices and systems regularly update their trust storage, so they include the latest root certificates of major CAs. Older devices and systems stop updating after a certain point. These are the trust storages that contained IdenTrust DST Root CA X3 but not ISRG Root X1. Up until now, Let’s Encrypt certificates signed by ISRG Root X1 still worked on older devices because they were also cross-signed by IdenTrust DST Root CA X3. Now that the older root has expired, this is no longer the case — hence the outages.

How to fix the problem

Older systems need to update to the new root certificate, something that Let’s Encrypt warned users of ahead of time. Despite this, many sites and services did not update ahead of time. According to The Daily Swig, systems dependent on the now obsolete OpenSSL 1.02 were most affected, impacting sites and services like AWS, Heroku, Microsoft Azure, Cisco Umbrella, OVH, DigitalOcean, Cloudflare Pages, Shopify, and Google Cloud Platform. 

Wrap up

This isn’t the first time a CA’s root certificate expiration has caused issues for users, and it likely won’t be the last. One key takeaway is the importance of regularly updating systems and finding a workaround if a legacy system no longer updates automatically. Otherwise, they run the risk of losing SSL security across their sites and services whenever a relevant root certificate expires, impacting business owners and their users alike.

Share on Twitter, Facebook, Google+