Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Expired Let’s Encrypt Root Certificate Causes Problems for Many Companies

A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.

A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.

California-based non-profit certificate authority (CA) Let’s Encrypt has been operating since 2015 and it has issued billions of digital certificates for hundreds of millions of websites in an effort to make the internet safer.

When it first started issuing certificates, Let’s Encrypt cross-signed its own ISRG Root X1 certificate with an older root certificate, IdentTrust’s DST Root X3, to ensure that its certificates would be immediately trusted by nearly all devices.

Let’s Encrypt’s ISRG Root X1 certificate is now trusted by a majority of devices and the organization started notifying users nearly one year ago that the DST Root X3 certificate would expire on September 30, 2021.

Let’s Encrypt has been warning service providers and developers that they may need to take action to prevent any disruption after September 30, but it seems the expiration of the certificate still caused problems for many.

British security researcher Scott Helme predicted on September 20 that “a few things will probably break” and it seems he was right.

According to Helme, many major organizations appeared to experience some issues when the DST Root X3 certificate expired, including Bluecoat, Palo Alto Networks, Cisco, Catchpoint, Guardian Firewall,, Cerb, OPNsense, Google Cloud, OVH, Auth0, Shopify, Xero, Fastly, Fortinet, Heroku, InstaPage, Cloudflare, MailGun, Facebook, Sophos, cPanel, AWS, and DigitalOcean. It’s worth noting that not all of these organizations have confirmed being impacted and in some cases the issues appeared to be related to the use of third-party services.

Helme said many companies restored affected services shortly after the issues emerged. However, devices running older operating systems that have not received updates for several years might continue to experience problems — if they haven’t received operating system updates, they also haven’t received new certificates, such as Let’s Encrypt’s ISRG Root X1.

Older devices that don’t trust ISRG Root X1 are likely getting certificate warnings when visiting websites that use Let’s Encrypt certificates.

Shortly after the root certificate expired, Let’s Encrypt reported seeing more certificate renewals than usual, and noted that it might take longer for customers to get their certificates. Users who experienced problems due to the expired certificate have been directed to Let’s Encrypt’s community forum.

Let's Encrypt warns of expired root certificate

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Bug Forces Let’s Encrypt to Revoke 3 Million Certificates

Related: Let’s Encrypt Warns Some Android Users of Compatibility Issues

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.