Summary
Certificate trust mainly relies on the "root" issuing certificate (and intermediate certificates) being trusted by your computer.
The root certificate issues an Intermediate certificate which in turn is used to issue general certificates such as the ones for your website. This is called a "Chain" of trust. Your certificate (called a Leaf or end-entity certificate) will be validated by following this chain.
On Sept 30th, 2021, Let's Encrypts previous root certificate DST Root CA X3 (and its R3 intermediate) has expired. It has been replaced by their ISRG Root X1 certificate (and replacement R3 intermediate).
Possible issues
In some cases, the expiry of the root (and its related expiring R3 intermediate certificate) may causes certificates to be considered untrusted or invalid. To fix this, you need to make your server use (serve) the correct chain. In other cases, the issue may be with the client's computer.
Solutions
Server
Should you have an older version than IceWarp Deep Castle Gen 2 Update 1 Build 2 (13.0.1.2), you need to upgrade to this version first, delete the existing certificate, and finally create a new one.
This version has changed the mechanism of composing the certificate chain for the Let's Encrypt certificate to include the new Root X1 certificate.
Should you already have Deep Castle Gen 2 Update 1 Build 2 (13.0.1.2), and you are still experiencing issues, it's very likely the certificates were created in the previous versions and you must delete the existing certificate and create a new one.
Clients
If your site is working for most devices but not for some, the problem is with their trust store (their list of trusted root certificates).
Windows PC
On Windows PCs, simply browsing to a website using Chrome, Edge etc with updated the client trust store with the required certificates. Browsing to https://valid-isrgrootx1.letsencrypt.org/ will prompt Windows to include ISRG Root X1 in its trust store automatically.
MacOS
Some operating systems hold onto the expired R3 > DST Root CA X3
chain even if your server is no longer using it. Try a restart of the affected client device.
Mobiles iOS & Android
It is required to have the OS on mobile devices up-to-date to address these issues.
Other considerations
If you do not want to reassemble the expired Let's Encrypt certificate, you may as well use your existing certificate from a different provider or purchase a brand new one from companies like Sectigo, DigiCert, GeoTrust, or Thawte.
Do not forget however to update the ca root packages. The update goes together with OS updates.
Comments
0 comments
Article is closed for comments.