Certificate expired??

cbiweb yes, I'm afraid you'll need to contact your mail client provider to find out why their latest software isn't working with a valid SSL certificate.

cbiweb Awesome, glad you were able to sort that out!

Hi,

Last week this got a personal computer of mine that's using a fairly old operating system. Basically 1/2 of the Internet stopped working , including my Opalstack sites that have https enabled.

Long story short, I figured out a way to manually install and trust the ISRG Root X1 Root Certificate that Let's Encrypt now uses in place of the now-expired IdentTrust DST Root CA X3.

sean Looks like this is related to the Let's Encrypt root cert expiry: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - but we've already covered the bases for that. We're going over our setup now to find out where the problem is.

I assume this root certificate switch is (at least partially) what you meant by this reply.

The thing is, my OS https sites are going to continue to be broken for anyone that hasn't installed & trusted the "ISRG Root X1" cert.

I was wondering if there is anything that can be done, server-side, to mitigate this, which still respecting the new LE root certificate.

I did some research and found the following:

https://community.letsencrypt.org/t/users-of-older-android-and-windows-7-not-able-to-access-website/161557/15

https://poshac.me/docs/v4/Guides/Using-Alternate-Trust-Chains/#serving-the-alternate-chain-from-windows

I don't know enough to know whether this applies to OS, and even if it does, if it's possible for you to implement. This seems to be for servers and not clients. But maybe I've misread it.

What do you think @sean?

Thanks!

sean

Understood.

Those posts I linked to seem like good leads, since they provide instructions for using "Alternate Trust Chains". They don't have anything to do with controlling LE.

The ACME protocol allows for a CA to offer alternate trust chains in order to accommodate the natural lifecycle of Root and Issuing certificates. As of this writing, the only public ACME CA that currently offers alternate trust chains is Let's Encrypt. But the instructions in this guide should work for any ACME CA.

Let's Encrypt Options

To understand why Let's Encrypt is offering multiple trust chains and why you as a site/service operator would choose one or the other, it is helpful to read the following posts [...]

Via:
https://poshac.me/docs/v4/Guides/Using-Alternate-Trust-Chains/#serving-the-alternate-chain-from-windows

Just to make sure:
Alternate trust chains are not something your going to be offering on OS?

Thanks.

aa11 I don't think that's a viable option for us but I'll check with our sysadmins and will follow up here when I have more info.

sean I don't think that's a viable option for us but I'll check with our sysadmins and will follow up here when I have more info.

Yeah, I figured it would be tricky on a shared system.

Thank you!!

This thread may be useful too:

https://community.letsencrypt.org/t/r3-intermediate-certificate-has-expired/160797/16

aa11 our LE implementation use certbot which doesn't support the use of the alternate chain, so that's not an option for us.

sean if you can find and install some ACME client other than certbot that is capable of using the alternate chain then you're free to try to use it to issue a a certificate manually. I can't think of any reason why it would not be possible.

The easier option would be to purchase a certificate from some other SSL provider.

FWIW we've had no other reports of problems related to this issue and I don't believe it warrants much concern.

Thanks for that information. Good to know.

I agree. It only affects users with fairly old operating systems that predate the creation of ISRG Root X1 (it was created in 2015).

Thanks again.