Mailing List Archive

SSL rollover - Let's Encrypt etc
I meant to post this when it happened, and I think I forgot. :-}

The SSL Root cert that underlies Let's Encrypt's root expired on 30-Sept,
and the new root that underlies it is not in the Root Certificate Package of
some still pretty widely deployed OS versions, including OS/X <10.12.1.

Lots of people are getting their certs from Let's these days, including
Wikipedia.

So if you've gotten any reports from the field that people can't access
{websites,your websites} it's worth looking into whether this is why.

Tier 2/3 detail: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

Cheers,
-- jra

Replies, as always, to -discuss

--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages
Re: SSL rollover - Let's Encrypt etc [ In reply to ]
It’s worth noting as well that this affects openssl 1.0.1 even if they
have the new root cert.

So curl on Debian 8, Debian 9, OSX 10.14.6 etc. will report SSL
certificate expired.

Browsers there will work, but APIs might fail.

I wrote about it a little here with a (per-server) workaround:
https://silvermou.se/letsencrypt-60-ssl-certificate-problem-certificate-has-expired/

> On 10 Oct 2021, at 16:52, Jay R. Ashworth via Outages wrote:
>
>> I meant to post this when it happened, and I think I forgot. :-}
>>
>> The SSL Root cert that underlies Let's Encrypt's root expired on
>> 30-Sept,
>> and the new root that underlies it is not in the Root Certificate
>> Package of
>> some still pretty widely deployed OS versions, including OS/X
>> <10.12.1.
>>
>> Lots of people are getting their certs from Let's these days,
>> including
>> Wikipedia.
>>
>> So if you've gotten any reports from the field that people can't
>> access
>> {websites,your websites} it's worth looking into whether this is why.
>>
>> Tier 2/3 detail:
>> https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
>>
>> Cheers,
>> -- jra
>>
>> Replies, as always, to -discuss
>>
>> --
>> Jay R. Ashworth Baylink
>> jra@baylink.com
>> Designer The Things I Think
>> RFC 2100
>> Ashworth & Associates http://www.bcp38.info 2000 Land
>> Rover DII
>> St Petersburg FL USA BCP38: Ask For It By Name! +1 727
>> 647 1274
>> _______________________________________________
>> Outages mailing list
>> Outages@outages.org
>> https://puck.nether.net/mailman/listinfo/outages
_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages