GoDaddy

alert Root Certificate is expiring

Catch.Club Catch.Club

franka46

Top Member
Impact
364
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

Anything that requires a secure connection to a particular server can stop working. Streaming platforms such as Netflix, Stan, Binge and 7plus require users to have this secure connection. It can also affect any website that requires a user to login, such as email inboxes and banking sites.
 
7
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Impact
34,351
Thanks for drawing our attention to this @franka46 .

Quite apart from the impending expiry, and what that might or might not mean, the article is a good explanation of how security certificate systems work.

I am following the author article on social media, and apparently some reports of failures happening. Undoubtedly more will be clear in a few hours.

Bob
 
3
•••

Samer

Top Member
Impact
21,363
Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer
 
0
•••
Impact
4,654
Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer

This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.
 
7
•••

Samer

Top Member
Impact
21,363
This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.

Thanks for the clarification, Paul.

I’m not as technically-savvy as you, but i know this day and age: SSL is not enough.
But it’s a start! I always assumed the ones who could afford to pay for “paid” SSL like

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

DV SSL
Wildcard SSL

Thank you for taking time to answer.

Samer
 
0
•••
Impact
4,654
Thanks for the clarification, Paul.

Turns out I was wrong: it did impact more users than expected due to flaws in the software that handles SSL/TLS on some devices, which is unfortunate.

SSL is not enough.

No single security measure is ever enough on its own. Security requires layers. :)

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

This is debatable. There are situations in which they can be useful, but they don't affect the encryption that takes place when you visit a website--they're the same as DV in that regard.
 
1
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
0
•••

poweredbyme

Top Member
Impact
1,051
My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021
 
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021

It has to be correct at the server side *and* client side (your visitors).
 
0
•••

poweredbyme

Top Member
Impact
1,051
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
Last edited:
1
•••

poweredbyme

Top Member
Impact
1,051
Okay, great. Now test it with a 5 or 8 year old device.

I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.
 
1
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.

Please try with (from the article)
  • PS4 game console with firmware >= 5.00
 
0
•••

poweredbyme

Top Member
Impact
1,051
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
I use debian

That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, IoT devices, etcetera.
 
Last edited:
1
•••

poweredbyme

Top Member
Impact
1,051
That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, etcetera.

Those folks are probably less than 1%. Even Windows 8 are less than 1% as of now.
I don't bother with such a few percents. Eventually they will notice there is a problem with their devices and will look for a fix and they will eventually find a solution.
 
Last edited:
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
1
•••

poweredbyme

Top Member
Impact
1,051
0
•••

poweredbyme

Top Member
Impact
1,051
I have just checked traffic stats of my websites. There is no difference. Today and yesterday are similar to any other day. False alert.
 
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
Last edited:
1
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
1
•••

poweredbyme

Top Member
Impact
1,051
Client side issues are related to browsers.
This specific issue is related to how browsers react. This issue is not directly related to webservers or letsencrypt.
If browser developers make neccessary updates to fix such an expected problem, there will be no problem. In this case, all major browsers look like already fixed an expected issue. This is what I see on my traffic stats. I don't see a problem.
 
0
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,641
Client side issues are related to browsers.

No, TLS certificates can be used for securing email communications and a lot more than you are probably aware of.
 
Last edited:
0
•••

poweredbyme

Top Member
Impact
1,051
No, TLS certificates can be used for securing email communications and a lot more than you are probably aware of.

SSH clients will not be affected. FTP and email client will be affected.
I do not know at the time if emails are working well and I have almost no chance to know.
Because there are dozens of mail clients running on client sides.
Server side emails will also not affected because most servers are on linux and use the same software for sending/receiving mails.
 
0
•••

poweredbyme

Top Member
Impact
1,051
However most people use free email providers such as google, yahoo, hotmail, etc. They have to run mail servers, So once a server is involved, a mail client possibility is out.
 
0
•••