alert Root Certificate is expiring

[franka46]

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

Anything that requires a secure connection to a particular server can stop working. Streaming platforms such as Netflix, Stan, Binge and 7plus require users to have this secure connection. It can also affect any website that requires a user to login, such as email inboxes and banking sites.

 

[Paul]

Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer

This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.

 

[Bob Hawkes]

Thanks for drawing our attention to this @franka46 .

Quite apart from the impending expiry, and what that might or might not mean, the article is a good explanation of how security certificate systems work.

I am following the author article on social media, and apparently some reports of failures happening. Undoubtedly more will be clear in a few hours.

Bob

 

[Paul]

Thanks for the clarification, Paul.

Turns out I was wrong: it did impact more users than expected due to flaws in the software that handles SSL/TLS on some devices, which is unfortunate.

SSL is not enough.

No single security measure is ever enough on its own. Security requires layers.

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

This is debatable. There are situations in which they can be useful, but they don't affect the encryption that takes place when you visit a website--they're the same as DV in that regard.

 

[Future Sensors]

I have visited one of my websites, client side, it's working.

Okay, great. Now test it with a 5 or 8 year old device.

 

[poweredbyme]

Okay, great. Now test it with a 5 or 8 year old device.

I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.

 

[Future Sensors]

I use debian

That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, IoT devices, etcetera.

 

[Future Sensors]

Those folks are probably less than 1%. Even Windows 8 are less than 1% as of now.
I don't bother with such a few percents. Eventually they will notice there is a problem with their devices and will look for a fix and they will eventually find a solution.

I'm glad you don't worry.

https://www.techgamingreport.com/mi...ws-and-iphone-users-can-lose-internet-access/

 

[Future Sensors]

I have just checked traffic stats of my websites. There is no difference. Today and yesterday are similar to any other day. False alert.

It's not a false alert. As I said, it's not only about humans surfing to your website. It's also about ics, scada, iot, embedded devices, you name it. To see what I mean, read this example:

https://community.letsencrypt.org/t/iot-devices-with-x3-certificate-embedded/140801

 

[Future Sensors]

https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

 

[Future Sensors]

https://www.zdnet.com/article/forti...oot-ca-certificate-from-lets-encrypt-expires/

 

[Future Sensors]

An errata patch for LibreSSL has been released for OpenBSD 6.8 and
OpenBSD 6.9.

Compensate for the expiry of the DST Root X3 certificate. The use of an
unnecessary expired certificate in certificate chains can cause validation
errors.

OpenBSD 6.9 errata 018, September 30, 2021.
https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/018_cert.patch.sig

 

[Future Sensors]

We are pleased to announce the availability of a new GnuPG LTS release: version 2.2.32. This release fixes a problem in GnuPG with the new Let's Encrypt root certificate and is thus required to restore access to many web resources (e.g. Web Key Directory and keyservers).

https://lists.gnupg.org/pipermail/gnupg-users/2021-October/065473.html

 

[Future Sensors]

Plex not working anymore on your smart TV? This might be why

[...]

The issue appears to be a security certificate expiration. The culprit is likely the Let’s Encrypt’s DST Root CA X3 cross-signed certificate, which expired on September 30th. As noted by TechCrunch, Let’s Encrypt’s free certificates have been widely used across the internet since 2014, when the nonprofit began issuing free certificates for people to use. A whopping 380 million certificates had been issued as of 2018 across 129 million unique domains.

When Let’s Encrypt first started, they used the existing “DST Root CA X3” cross-signature on all their certificates. This ensured that older and current devices at the time immediately trusted those certs. Let’s Encrypt now relies on their own “ISRG Root X1” signature for all certificates.

The problem arises on older devices that still rely on only the CA X3 signature. Because that signature is now expired, devices like older smart TVs, older phones, and more will no longer establish secure connections.

How to fix it

Plex states that if your server is located on the same network as your TV, you won’t have any issues. However, if the server you’re connecting to is remote, you’ll need to change the Plex settings on your TV to allow for insecure connections. To do this, go to settings and find the “Advanced” section. Set “Allow Insecure Connections” to “Always” as seen below. This setting may appear under the “Main” section on a few older TVs.

https://www.xda-developers.com/plex-not-working-smart-tv-might-be-why/

 

[Future Sensors]

Revisiting BetterTLS: Certificate Path Building
Netflix Technology Blog, Oct 14, 2021

https://netflixtechblog.com/revisiting-bettertls-certificate-path-building-4c978b79843f

From the article:

[...]​

Even though that story is a year old and was well covered then, I’m retelling it here because a couple of weeks ago something kind of similar happened: a certificate for the Let’s Encrypt R3 CA expired (certificate 2 below) on September 30, 2021. This should have been fine; the Let’s Encrypt R3 entity also has a certificate signed by the ISRG Root X1 CA (3) which nowadays is trusted by most clients.

But predictably, even though it’s been a year since Ryan’s post, lots of services and clients had issues. You should read Scott Helme’s full post-mortem on the event to understand some of the contributing factors, but one big problem is that most TLS implementations still aren’t very good at path building. As a result, servers generally can’t send a complete collection of certificates down to clients (containing different possible paths to different trust anchors) which makes it hard to host a service that both old and new devices can talk to.​

 

[Future Sensors]

Let's Encrypt Root Expiration - Post-Mortem
Scott Helme, Oct 8, 2021

Well, the Internet Apocalypse came and went! Due to the recent expiration of the Let's Encrypt intermediate and root certificates, I saw more widespread issues than I was expecting, but on different devices and for different reasons than I thought. Let's take a look at what happened and why.​

Read more:

https://scotthelme.co.uk/lets-encrypt-root-expiration-post-mortem/

 

[twiki]

I read the article and understood nothing.

Except bad stuff happening where everyone is not getting up to date with this.

 

[Samer]

Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer

 

[Samer]

This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.

Thanks for the clarification, Paul.

I’m not as technically-savvy as you, but i know this day and age: SSL is not enough.
But it’s a start! I always assumed the ones who could afford to pay for “paid” SSL like

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

DV SSL
Wildcard SSL

Thank you for taking time to answer.

Samer

 

[Future Sensors]

It will be an item in this episode (#263)

https://www.youtube.com/c/troyhuntdotcom/videos

https://twitter.com/x/status/1444054709778538496

 

[poweredbyme]

My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021

 

[Future Sensors]

My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021

It has to be correct at the server side *and* client side (your visitors).

 

[poweredbyme]

It has to be correct at the server side *and* client side (your visitors).

I have visited one of my websites, client side, it's working.

 

[Future Sensors]

I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.

Please try with (from the article)

• PS4 game console with firmware >= 5.00

 

[poweredbyme]

Please try with (from the article)

• PS4 game console with firmware >= 5.00

I use debian