Dynadot

alert Root Certificate is expiring

Spaceship Spaceship
Watch
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

Anything that requires a secure connection to a particular server can stop working. Streaming platforms such as Netflix, Stan, Binge and 7plus require users to have this secure connection. It can also affect any website that requires a user to login, such as email inboxes and banking sites.
 
7
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
1
•••
Last edited:
1
•••
1
•••
Plex not working anymore on your smart TV? This might be why

[...]

The issue appears to be a security certificate expiration. The culprit is likely the Let’s Encrypt’s DST Root CA X3 cross-signed certificate, which expired on September 30th. As noted by TechCrunch, Let’s Encrypt’s free certificates have been widely used across the internet since 2014, when the nonprofit began issuing free certificates for people to use. A whopping 380 million certificates had been issued as of 2018 across 129 million unique domains.

When Let’s Encrypt first started, they used the existing “DST Root CA X3” cross-signature on all their certificates. This ensured that older and current devices at the time immediately trusted those certs. Let’s Encrypt now relies on their own “ISRG Root X1” signature for all certificates.

The problem arises on older devices that still rely on only the CA X3 signature. Because that signature is now expired, devices like older smart TVs, older phones, and more will no longer establish secure connections.

How to fix it

Plex states that if your server is located on the same network as your TV, you won’t have any issues. However, if the server you’re connecting to is remote, you’ll need to change the Plex settings on your TV to allow for insecure connections. To do this, go to settings and find the “Advanced” section. Set “Allow Insecure Connections” to “Always” as seen below. This setting may appear under the “Main” section on a few older TVs.

https://www.xda-developers.com/plex-not-working-smart-tv-might-be-why/
 
1
•••
Revisiting BetterTLS: Certificate Path Building
Netflix Technology Blog, Oct 14, 2021


https://netflixtechblog.com/revisiting-bettertls-certificate-path-building-4c978b79843f

From the article:

[...]​

Even though that story is a year old and was well covered then, I’m retelling it here because a couple of weeks ago something kind of similar happened: a certificate for the Let’s Encrypt R3 CA expired (certificate 2 below) on September 30, 2021. This should have been fine; the Let’s Encrypt R3 entity also has a certificate signed by the ISRG Root X1 CA (3) which nowadays is trusted by most clients.

But predictably, even though it’s been a year since Ryan’s post, lots of services and clients had issues. You should read Scott Helme’s full post-mortem on the event to understand some of the contributing factors, but one big problem is that most TLS implementations still aren’t very good at path building. As a result, servers generally can’t send a complete collection of certificates down to clients (containing different possible paths to different trust anchors) which makes it hard to host a service that both old and new devices can talk to.
 
1
•••
Let's Encrypt Root Expiration - Post-Mortem
Scott Helme, Oct 8, 2021

Well, the Internet Apocalypse came and went! Due to the recent expiration of the Let's Encrypt intermediate and root certificates, I saw more widespread issues than I was expecting, but on different devices and for different reasons than I thought. Let's take a look at what happened and why.

Read more:

https://scotthelme.co.uk/lets-encrypt-root-expiration-post-mortem/
 
Last edited:
1
•••
I read the article and understood nothing.

Except bad stuff happening where everyone is not getting up to date with this.
 
1
•••
Back