Let's Encrypt's Root Certificate is expiring!
'On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!' -- source: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/ Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 (office) +64 (7) 577-5304 (home office) http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Tue, 21 Sep 2021 08:48:35 +1200, Peter Reutemann quoted:
'On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire.'
Checking the cert on my geek-central.gen.nz VPS, it was issued by a CA named “Internet Security Research Group” with a “Common Name” of “ISRG Root X1”. The CA cert validity goes from “Not Before Fri, 04 Sep 2020 00:00:00 GMT” to “Not After Mon, 15 Sep 2025 16:00:00 GMT”. Within Firefox itself, the installed CA cert for that same organization has a validity up to 4th June 2035. Ah, I see why the discrepancy: my server’s cert actually includes two levels of CA: the topmost one matches what’s in Firefox, while the other one (“R3”) is the next level down.
On Tue, 21 Sep 2021, at 9:33 AM, Lawrence D'Oliveiro wrote:
Ah, I see why the discrepancy: my server’s cert actually includes two levels of CA: the topmost one matches what’s in Firefox, while the other one (“R3”) is the next level down.
This is common for most (all?) CAs. If there is ever an issue with the security of the issuing certificate (e.g. the private key is compromised) then they can revoke the CA's issuer certificate without affecting their root certificate. You can bet the private keys of the root certificates are very secure (e.g. 100% offline). This article from LE explains it well https://letsencrypt.org/certificates/ -- Simon
On Tue, 21 Sep 2021 08:48:35 +1200, Peter Reutemann quoted:
'On 30th September 2021, ... the IdentTrust DST Root CA X3 certificate, will expire.'
A few hiccups here and there <https://www.theregister.com/2021/09/30/lets_encrypt_xero_slack_outages/>, in surprising places, such as Xero <https://www.nzherald.co.nz/business/xero-suffers-major-outage-slack-stuffs-up/D4CJTO724LRWM7BSQ7PFAJ3E5U/>. They claim the issue is “not related to any third-party provider”, yet they admit the cause was “when a certificate our systems required expired and some of our subsystems did not automatically trust the new certificate”. Where do they think trust in certificates comes from?
participants (3)
-
Lawrence D'Oliveiro -
Peter Reutemann -
Simon Green