Labeled as alert in Warnings and Alerts, started by franka46, Sep 29, 2021
An errata patch for LibreSSL has been released for OpenBSD 6.8 and
Compensate for the expiry of the DST Root X3 certificate. The use of an
unnecessary expired certificate in certificate chains can cause validation
OpenBSD 6.9 errata 018, September 30, 2021.
We are pleased to announce the availability of a new GnuPG LTS release: version 2.2.32. This release fixes a problem in GnuPG with the new Let's Encrypt root certificate and is thus required to restore access to many web resources (e.g. Web Key Directory and keyservers).
Plex not working anymore on your smart TV? This might be why
The issue appears to be a security certificate expiration. The culprit is likely the Let’s Encrypt’s DST Root CA X3 cross-signed certificate, which expired on September 30th. As noted by TechCrunch, Let’s Encrypt’s free certificates have been widely used across the internet since 2014, when the nonprofit began issuing free certificates for people to use. A whopping 380 million certificates had been issued as of 2018 across 129 million unique domains.
When Let’s Encrypt first started, they used the existing “DST Root CA X3” cross-signature on all their certificates. This ensured that older and current devices at the time immediately trusted those certs. Let’s Encrypt now relies on their own “ISRG Root X1” signature for all certificates.
The problem arises on older devices that still rely on only the CA X3 signature. Because that signature is now expired, devices like older smart TVs, older phones, and more will no longer establish secure connections.
How to fix it
Plex states that if your server is located on the same network as your TV, you won’t have any issues. However, if the server you’re connecting to is remote, you’ll need to change the Plex settings on your TV to allow for insecure connections. To do this, go to settings and find the “Advanced” section. Set “Allow Insecure Connections” to “Always” as seen below. This setting may appear under the “Main” section on a few older TVs.
Revisiting BetterTLS: Certificate Path Building
Netflix Technology Blog, Oct 14, 2021
From the article:
Even though that story is a year old and was well covered then, I’m retelling it here because a couple of weeks ago something kind of similar happened: a certificate for the Let’s Encrypt R3 CA expired (certificate 2 below) on September 30, 2021. This should have been fine; the Let’s Encrypt R3 entity also has a certificate signed by the ISRG Root X1 CA (3) which nowadays is trusted by most clients.
But predictably, even though it’s been a year since Ryan’s post, lots of services and clients had issues. You should read Scott Helme’s full post-mortem on the event to understand some of the contributing factors, but one big problem is that most TLS implementations still aren’t very good at path building. As a result, servers generally can’t send a complete collection of certificates down to clients (containing different possible paths to different trust anchors) which makes it hard to host a service that both old and new devices can talk to.
Let's Encrypt Root Expiration - Post-Mortem
Scott Helme, Oct 8, 2021
Well, the Internet Apocalypse came and went! Due to the recent expiration of the Let's Encrypt intermediate and root certificates, I saw more widespread issues than I was expecting, but on different devices and for different reasons than I thought. Let's take a look at what happened and why.
I read the article and understood nothing.
Except bad stuff happening where everyone is not getting up to date with this.
Separate names with a comma.