Let’s Encrypt’s root certificate has expired : Your Site won’t work Properly in Chrome

Let’s Encrypt’s root certificate has expired : Your Site won’t work Properly in Chrome

To prevent your devices from breaking, you may have to upgrade to a newer version of Let’s Encrypt after this week’s expiration of its root certificate.

To ensure that no one can intercept and steal your data while it’s in transit, the nonprofit Let’s Encrypt creates certificates that encrypt connections between your devices and the wider internet. Let’s Encrypt is used by hundreds of thousands of websites all over the world alone. Let’s Encrypt’s current root certificate (the IdentTrust DST Root CA X3) was set to expire on September 30th, according to security researcher Scott Helme’s warning. Users will no longer be able to use any certificates that were issued by this certificate authority once their certificates have expired.

There is no need for concern for the vast majority of website users as everything will continue as usual on September 30. If you’re using an older device and the AddTrust External CA Root has expired, you may experience issues. As a result, services from Stripe, Red Hat, and Roku were all down.

There are many posts from today on community.letsencrypt.org for this topic.

From my side, I can confirm, that me personally, I also do own a chrome on windows 7 device and it’s broken , as of this moment. Meaning, when trying to access any website, which uses let’s encrypt certificates, a big red banner “not secure” is displayed instead by your web browser, preventing you from visiting all such sites. I do not have the device with me at this moment to doublecheck, but I did try other browsers few hours ago and it is a possibility, that all web browsers on windows 7 are broken , starting today. I saw some info in mass media from the past days, but none of them mentioned windows 7, they only mentioned windows xp gets broken.

If you are able to see this with your old device, without somehow working around a big red “not secure” banner shown by your browser, then I guess your old device is fine and not affected.

I am not sure, how many chrome on windows 7 people are still there in the world (it would certainly be nice to find some relatively reliable info on this, I did not find anything so far, dare I guess millions?). But I guess it is a no go for all of them to go and use, what was suggested already by Nils Hamerlinck. Also, chrome on windows 7 might be a big group I guess, but certainly not the only one affected.

aa) Are you aware of any other options to solve this, than what Nils Hamerlinck already suggested?

bb) Are you aware of any (reasonably reliable) info sources on which different devices/device groups are broken/affected?

cc) Are you aware of any (reasonably reliable) sources for guessing how many people are still actively using such devices?

Possible Solution

Edit:

For aa) – options to solve:

  • As mentioned by some sources (for example https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/537) , ‘if you are on windows 7, then use firefox instead of chrome’ might possibly be a solution for some people. (My layman guess is, that significant part of those up-to-40-million affected people might go this way in the long term.)
  • I did not check this myself yet, but some sites, for example this one https://docs.microsoft.com/en-us/answers/questions/202270/how-to-enable-the-34automatic-root-certificates-up.html , seem to suggest, that some ‘automatic root certificates update’ feature is supposed to exist on windows 7. I am not sure yet how it works, or how to turn it on. Might also be too complicated for a non-technical person, but I don’t know yet, I’ll try to check this later.
  • One version of the future is, that many people will just notice, like, ‘ah, this old device somehow got broken eventually’ , and will throw the old device away to trash. (Assuming, those do own some newer device as an alternative. Dare I say, that this might be the preferred version of the future for some stakeholders?)

For bb) – affected device groups:

  • There is one source from let’s encrypt on this, https://letsencrypt.org/docs/certificate-compatibility/ . On the windows 7 topic, it does say, that with ‘automatic root certificates update’ feature enabled is supposed to not be broken (I am not sure yet what to think about this).
  • There are some sights on apple support forum (for example https://discussions.apple.com/thread/253203934 ) . It might be, that, in addition to ‘chrome on windows 7’ group, devices with older macos versions might be another significant affected group.

For cc) – people count:

Leave a Reply

Your email address will not be published. Required fields are marked *