One of the Let’s Encrypt’s Root Certificates expired today (and their corresponding intermediate yesterday); how is your infrastructure doing?
Posted by jpluimers on 2021/09/30
Last weekend I published 5 days before the Let’s Encrypt’s Root Certificate is expiring!
It basically was a post trying to amplify the [Wayback/Archive.is] Let’s Encrypt’s Root Certificate is expiring! message by [Wayback] Scott Helme .
Yesterday and today, he is maintaining a Twitter thread on things that have broken.
Quite a few things have, including some versions of curl, on which a lot of infrastructure relies (the certificate for it got fixed later on 20120930), see:
- [Archive.is] Scott Helme on Twitter: “Yeah that’s reasonable, we’ve not had a notable certificate chain expiry issue like this to speak of really.… “
- [Archive.is] Daniel 🥌 Stenberg on Twitter: “the Mozilla CA cert bundle on curl.se now has the expired ‘DST Root CA X3’ cert removed: …”
- [Wayback/Archive.is] curl – Extract CA Certs from Mozilla:
This bundle was generated at Thu Sep 30 03:12:05 2021 GMT .
- [Wayback/Archive.is] curl – Extract CA Certs from Mozilla:
- [Archive.is] Daniel 🥌 Stenberg on Twitter: “The order is restored and https://libssh2.org/ is again served by a good cert. Sorry for the minor disruption.”
Two important starting points in his thread:
- [Archive.is] Scott Helme on Twitter: “🚨🚨🚨 5 minutes until the Let’s Encrypt R3 intermediate expires 🚨🚨🚨 29 September 2021 19:21:40 UTC”
- [Archive.is] Scott Helme on Twitter: “🚨🚨🚨 30 minute warning 🚨🚨🚨 IdentTrust DST Root CA X3 Expires: Sep 30 14:01:15 2021 UTC… “
If you want to check from one of your own clients, try [Archive.is] Scott Helme on Twitter: “I’ve created a test site to help identify issues with clients. If you can connect to https://t.co/bXHsnlRk8D then your client can handle being served the expired R3 Intermediate in the server chain!… “
[Wayback/Archive.is] https://expired-r3-test.scotthelme.co.uk/
Note that neither SSLabs, nor Cencys, nor CertCheckkerApp do show the expired certificate, only the new one:
- [Wayback/Archive.is] SSL Server Test: pluimers.com (Powered by Qualys SSL Labs)
- [Wayback/Archive.is] CN=pluimers.com – Censys
- [Wayback/Archive.is] CertCheckerApp Certificate Checker: pluimers.com
Yes, I know the pluimers.com web server is rated B from a TLS perspective. Will be working on it, but I’m still recovering from rectum cancer treatments, and have an almost 1.5 year backlog to get through.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply