Let’s Encrypt’s Root Certificate is expiring
On 30th September 2021, the root certificate that Let’s Encrypt is currently using, namely, the IdentTrust DST Root CA X3 certificate will expire.
You shouldn’t have to do anything, but here’s what you need to know.
What is Let’s Encrypt?
You can learn more about Let’s Encrypt in our other blog post here What is Let’s Encrypt?
Essentially, all SSL certificates that enable secure HTTPS are issued by a certificate authority (CA), a trusted organisation recognised by your device/OS, and, all SSL certificates have an expiry date.
The certificate that is going to expire is the intermediate IdenTrust DST Root CA X3.
Let’s Encrypt has a “root certificate” called ISRG Root X1. Modern browsers and devices trust the Let’s Encrypt certificate installed on your website because they include ISRG Root X1 in their list of root certificates. To make sure the certificates we issue are trusted on older devices, we also have a “cross-signature” from an older root certificate: DST Root CA X3.
When Let’s Encrypt got started, that older root certificate (DST Root CA X3) helped them get off the ground and be trusted by almost every device immediately. The newer root certificate (ISRG Root X1) is now widely trusted too – but some older devices won’t ever trust it because they don’t get software updates (for example, an iPhone 4 or an HTC Dream). Click here for a list of which platforms trust ISRG Root X1.
DST Root CA X3 will expire on September 30, 2021. That means those older devices that don’t trust ISRG Root X1 will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates.
You may see SSL errors similar to this:
What do I need to do?
You shouldn’t have to do anything and your device/OS should update automatically. However, if this does not work you should try rebooting the device.
Windows Servers with IIS or other services that use the Windows trust store
- To diagnose a chain issue for your server, scan one of your webservers domains with a chain checker
- If your chain contains the expired R3 after it’s expiry, reboot your server to clear cached chains.
- If the chain issue persists, re-request your certificate in Certify The Web to force a binding refresh or choose Certificate > Advanced > Actions > Re-apply Certificate To Bindings.
Apache, Nginx, etc (on Windows or Linux)
Verify the VHOST is configured to use your certificate, with its private key and its chain. These services will work without pointing to a chain file but in the case of the expired R3 your clients will try to resolve the R3 themselves (because you haven’t given it to them) and they may then resolve it to the old (expired) one.
Clients (web browsers)
If your website or email is working for most devices but not for some, the problem is with the end-users trust store (their list of trusted root certificates) on their device/OS. Try rebooting the device.
On Windows PCs, simply browsing to https://valid-isrgrootx1.letsencrypt.org/ should prompt Windows to include ISRG Root X1 in its trust store automatically.
If this doesn’t work, you can delete the expired certificate manually:
- Press the Windows or Start button, then type “MMC” into the run box. This will launch Microsoft Management Console.
- Select File, then Add/Remove Snap-In
- Select “Certificates” from the field on the left, then click Add.
- On the next window, choose “Computer Account,” then select “Local Computer,” click OK.
- In MMC, select the arrow beside “Certificates (Local Computer),” this will reveal the certificate stores.
- Select the arrow beside the Root Certificate you would like to remove/disable, the click the “Certificates” folder.
- Find the certificate you’re trying to delete in the list, right-click it and choose “Properties.”
- Select “Disable all purposes for this certificate,” click Apply.
- Now, just restart your machine.
The SSL to delete is Let’s Encrypts DST Root CA X3 (and its R3 intermediate).
macOS, iOS, etc
Some operating systems hold onto the expired R3 > DST Root CA X3 chain even if your server is no longer using it. Try a reboot of the affected end-user client device.
For older macOS not updated by Apple:
Open the Keychain Access app and dragging that file into the System folder of that app.
then find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change “Use System Defaults” to “Always Trust”, then close that and enter your password to confirm the change (if prompted).