On Thursday, around 10 AM (EST), the root certificate provided by Let’s Encrypt expired, and the internet flooded with issues reported by several services and websites worldwide.
Security researcher, Scott Helme, had already warned about the expiration of Let’s Encrypt’s IdentTrust DST Root CA X3. He predicted the expiration will take place on September 30 and post expiry, the devices, web clients, and computers will no longer be able to verify certificates issued by the Certificate Authority (CA).
Despite the warning, Helme confirmed issues with InstaPage, Netify, Ledger, Cisco Umbrella, QuickBooks, Shopify, Fortinet, Google Cloud Monitoring, Azure Application Gateway, Xero, RocketLeague, OVH, PFSense, Monday.com, Palo Alto, Heroku, Auth0, Cloudflare Pages and BlueCoat.
The business will be smooth for the majority of the users on September 30 and post that. However, devices like embedded systems (that don't auto-update regularly) and smartphones with outdated software versions will get affected. Possibly, devices with macOS 2016, Windows XP (Service Pack 3), older PlayStations, and OpenSSL 1.0.2 or earlier will also face issues.
"IT systems that enforce or monitor security policies can stop working. Alerting and reporting systems can fail. Or, if the processes that humans depend on to do our work stop functioning, often those people will find "workarounds"
Tim Callan, Digital Certificate Expert
One of the Windows IIS users reported his issue on Let’s Encrypt’s community forum. His cert chain looked like this: (my cert) -> (R3 ISRG Root X1 expiry 2025) -> (ISRG Root X1 expiry 2035). Many of his users, however, experience SSL failures (most on iPhones). When he used an SSL checker tool to verify the current status of his SSL, he found: (My cert) -> (DST Root CA X3 expires tomorrow) -> (R3 DST Root CA X3 expired 3 hours ago).
If this is what you also see, he suggested this quick fix:
-
Delete the old certs that were incorrectly picked by IIS in the chain.
-
Remove Intermediate Cert Auth.
-
Reboot the server (restarting ISS is not recommended)
-
If you use CDN, re-export the SSLs and install them.
Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet, “Some users have recommended settings allowing for expired certificates from trusted issuers; however, these can also have malicious uses. In any case, administrators should examine the best solution for them but also understand the risks to any workarounds. Alternatively, administrators can look at alternate trust paths by using the intermediate certificate that Let's Encrypt has set up or following suggested configurations from their May bulletin.”
Let’s Encrypt
Let’s Encrypt is a free, non-profit, open Certificate Authority (CA). It is one of the biggest providers of HTTP certificates. The company ensures the proper encryption and security between the internet and your device. It encourages a more secure and privacy-respecting Web and thus, provides free digital certificates that enable HTTPS (SSL/TLS) for websites.
Written by Aditya Chakurkar for The Infotech Report