On Thursday next week, the old Let’s Encrypt (LE) root certificate will lose its validity. As a certificate authority (CA), LE confirms self-generated certificates from server operators. Applications on many types of clients – PCs, tablets, smartphones, Internet of Things devices – can establish a cryptographically secured connection, for example to access their own cloud server. This is mostly done via HTTPS, but also via TLS-secured mail protocols such as IMAP or SMTP.
Let’s Encrypt uses the intermediate certificate (Intermediate) R3 to sign customer certificates. The clients can check its validity with the DST Root CA X3 root certificate stored in their memory. The old intermediate R3 expires on 9/29/2021 at 7:21:40 PM (GMT), DST Root CA X3 just under a day later (9/30/2021 2:01:15 PM GMT). At this point at the latest, clients who only know the old root certificate can no longer verify server certificates and no longer establish a TLS-secured connection. In the case of Internet of Things devices, for example, it depends on their programming whether they will still work at all. That could be about Gadgets with an older OpenSSL library meet in the firmware.
Inkompatible Clients
Let’s Encrypt has introduced the new root certificate ISRG Root X1, but this is not stored in all clients. It is probably missing in older devices that have not received a firmware or software update for a long time. as Let’s Encrypt is known to be incompatible including Blackberry before 10.3.3, Android before 2.3.6, Nintendo 3DS, Sony PS3 and PS4 before firmware 5.00. Devices from Windows XP / SP3, Android from 7.1.1, macOS from 10.12.1, iOS from 10, Ubuntu from 16.04, Debian from Jessie and Java 7 from 7u151 and Java 8 from 8u141 should not have any problems. Firefox has had the new root certificate on board since version 50.
Server certificates signed by Let’s Encrypt should currently contain two paths: One ends with the root certificate ISRG Root X1, the other with the soon-to-be-expired DST Root CA X3.
If you want to make sure that your own server is correctly set up for the change, you can use the SSL Server Test of SSL Labs. In addition to its own server certificate, it shows under “Additional Certificates” which intermediate and root certificate it is signed with. Their expiration dates should be well after September 2021, currently mid-September 2025 (Intermediate R3) or the end of September 2024 (ISRG Root X1). When “Certification Paths” is expanded, two paths should appear: The first ends at ISRG Root X1, the second at the DST Root CA X3, which is about to expire. If the first path is missing, you should delete the old certificate and use the in Let’s Encrypt request a new one. Because of the comparatively short period of validity of the LE certificates of three months, this should not happen in practice.
(she)
