Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Expired Let’s Encrypt Root Certificate Causes Problems for Many Companies

A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.

A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.

California-based non-profit certificate authority (CA) Let’s Encrypt has been operating since 2015 and it has issued billions of digital certificates for hundreds of millions of websites in an effort to make the internet safer.

When it first started issuing certificates, Let’s Encrypt cross-signed its own ISRG Root X1 certificate with an older root certificate, IdentTrust’s DST Root X3, to ensure that its certificates would be immediately trusted by nearly all devices.

Let’s Encrypt’s ISRG Root X1 certificate is now trusted by a majority of devices and the organization started notifying users nearly one year ago that the DST Root X3 certificate would expire on September 30, 2021.

Let’s Encrypt has been warning service providers and developers that they may need to take action to prevent any disruption after September 30, but it seems the expiration of the certificate still caused problems for many.

British security researcher Scott Helme predicted on September 20 that “a few things will probably break” and it seems he was right.

According to Helme, many major organizations appeared to experience some issues when the DST Root X3 certificate expired, including Bluecoat, Palo Alto Networks, Cisco, Catchpoint, Guardian Firewall, Monday.com, Cerb, OPNsense, Google Cloud, OVH, Auth0, Shopify, Xero, Fastly, Fortinet, Heroku, InstaPage, Cloudflare, MailGun, Facebook, Sophos, cPanel, AWS, and DigitalOcean. It’s worth noting that not all of these organizations have confirmed being impacted and in some cases the issues appeared to be related to the use of third-party services.

Helme said many companies restored affected services shortly after the issues emerged. However, devices running older operating systems that have not received updates for several years might continue to experience problems — if they haven’t received operating system updates, they also haven’t received new certificates, such as Let’s Encrypt’s ISRG Root X1.

Advertisement. Scroll to continue reading.

Older devices that don’t trust ISRG Root X1 are likely getting certificate warnings when visiting websites that use Let’s Encrypt certificates.

Shortly after the root certificate expired, Let’s Encrypt reported seeing more certificate renewals than usual, and noted that it might take longer for customers to get their certificates. Users who experienced problems due to the expired certificate have been directed to Let’s Encrypt’s community forum.

Let's Encrypt warns of expired root certificate

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Bug Forces Let’s Encrypt to Revoke 3 Million Certificates

Related: Let’s Encrypt Warns Some Android Users of Compatibility Issues

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.