Many websites experienced issues this week following the expiration of a root certificate provided by Let's Encrypt, a free and open certificate authority (CA) used by millions of sites.
Let's Encrypt, which is part of the nonprofit Internet Security Research Group (ISRG), is a massive provider of HTTPS certificates: Last February, it issued its billionth certificate and announced it was serving nearly 192 million websites.
The expiry of IdenTrust DST Root CA X3 happened on Sept. 30; after this, computers, devices, and clients like Web browsers will no longer trust certificates that have been issued by this CA.
"If the root certificate that your certificate chain anchors on is expired then there's a good chance it's going to cause things to fail," writes Scott Helme, founder of Security Header, in a Sept. 20 blog post warning of the issue. This happened last May, he added, when the AddTrust External CA Root expired and caused problems for Roku, Stripe, and other organizations.
"Given the relative size difference between Let's Encrypt and AddTrust, I have a feeling that the IdenTrust root expiry has the potential to cause more problems," Helme says.
In most circumstances, a root CA expiration wouldn't generate a lot of conversation because the transition from an old root certificate to a new one is "completely transparent," Helme writes. The reason this expiry is causing problems is because clients aren't regularly updated and if that's the case, the new CA replacing the old one isn't downloaded onto the device.
In his blog post, he lists clients that will break after the IdenTrust DST Root CA X3 expires. These include versions of macOS older than 10.12.1, Windows versions older than XP Service Pack 3, iOS versions older than iOS 10, OpenSSL versions less than and including 1.0.2, and Firefox versions older than 50.
Helme said to ZDNet that he had confirmed organizations including Palo Alto, Bluecoat, Cisco Umbrella, Google Cloud Monitoring, Auth0, Shopify, QuickBooks, and Fortinet were among the organizations experiencing issues following the expiration. In a tweet, Let's Encrypt advises those experiencing errors to check out the fixes in its community forum. It also notes it's seeing a higher than usual rate of renewals, so there might be a delay in getting your certificates.