We have detected an issue regarding letsencrypt certificate CA trust regarding a CA certificate that expired yesterday 30/09/2021.
This issue consists on that clients will wrongly identify correct, valid certificates as invalid, because the CA they are based on is now invalid and the client software was not updated to trust the new CA, so it is now giving these authentication problems. We have identified that this is a problem with older software clients like curl, or older versions of programming languages like php that do not have this CA installed in them and thus fail to access clients with letsencrypt certificates.
Scope
Affected software versions
– OpenSSL <= 1.0.2
– Windows < XP SP3
– macOS < 10.12.1
– iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
– Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
– Mozilla Firefox < 50
– Ubuntu < 16.04
– Debian < 8
– Java 8 < 8u141
– Java 7 < 7u151
– NSS < 3.26
-CDN like Cloudflare
– Amazon FireOS (Silk Browser)
This is an effect that can not only be felt by users or client applications, but by the application itself. For example, if your application is running on a system using a version lower than the detailed above, like a webserver with openssl 1.0.1, requests to any letsencrypt-backed service will fail.
Remediation
Solution to this problem is to upgrade the client version of the software stack so it trusts the new root CA as a full solution. You can also patch the issue by modifying your software so it doesn’t check the validity of the CA, although keep in mind that this should be a temporary solution as it is an insecure software practice and should not be left applied in a production environment more time than necessary.
Here’s more technical information about this issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/