Security Experts:

Expired Let's Encrypt Root Certificate Causes Problems for Many Companies

A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.

California-based non-profit certificate authority (CA) Let’s Encrypt has been operating since 2015 and it has issued billions of digital certificates for hundreds of millions of websites in an effort to make the internet safer.

When it first started issuing certificates, Let’s Encrypt cross-signed its own ISRG Root X1 certificate with an older root certificate, IdentTrust’s DST Root X3, to ensure that its certificates would be immediately trusted by nearly all devices.

Let’s Encrypt’s ISRG Root X1 certificate is now trusted by a majority of devices and the organization started notifying users nearly one year ago that the DST Root X3 certificate would expire on September 30, 2021.

Let’s Encrypt has been warning service providers and developers that they may need to take action to prevent any disruption after September 30, but it seems the expiration of the certificate still caused problems for many.

British security researcher Scott Helme predicted on September 20 that “a few things will probably break” and it seems he was right.

According to Helme, many major organizations appeared to experience some issues when the DST Root X3 certificate expired, including Bluecoat, Palo Alto Networks, Cisco, Catchpoint, Guardian Firewall, Monday.com, Cerb, OPNsense, Google Cloud, OVH, Auth0, Shopify, Xero, Fastly, Fortinet, Heroku, InstaPage, Cloudflare, MailGun, Facebook, Sophos, cPanel, AWS, and DigitalOcean. It’s worth noting that not all of these organizations have confirmed being impacted and in some cases the issues appeared to be related to the use of third-party services.

Helme said many companies restored affected services shortly after the issues emerged. However, devices running older operating systems that have not received updates for several years might continue to experience problems — if they haven’t received operating system updates, they also haven’t received new certificates, such as Let’s Encrypt’s ISRG Root X1.

Older devices that don’t trust ISRG Root X1 are likely getting certificate warnings when visiting websites that use Let’s Encrypt certificates.

Shortly after the root certificate expired, Let’s Encrypt reported seeing more certificate renewals than usual, and noted that it might take longer for customers to get their certificates. Users who experienced problems due to the expired certificate have been directed to Let’s Encrypt’s community forum.

Let's Encrypt warns of expired root certificate

Related: Let's Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Bug Forces Let's Encrypt to Revoke 3 Million Certificates

Related: Let’s Encrypt Warns Some Android Users of Compatibility Issues

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.