At the end of September 2021, the IdenTrust DST Root CA X3 root certificate from Let's Encrypt expired. This has led to the fact that owners of gadgets and computers with operating systems released more than five years ago cannot get to many sites. They get a warning that the connection is unsafe.
The event affected users of Windows, Linux, Apple products, MacBook laptops, Android smartphones and tablets, and some other devices.
Let's Encrypt is one of the most popular certificate authorities because it issues SSL certificates for free. They can be installed in the hosting control panel in a couple of clicks yourself, this does not require any actions on the part of the certification center. The whole procedure happens automatically.
Below you will learn the causes of the event and how to solve this problem on your device.
What is an SSL certificate?
An SSL certificate is a secure communication protocol, thanks to which the personal data of customers of web resources is closed from third parties.
Most sites on the world wide web have an SSL/TLS security certificate. This means that all data is transmitted via the secure https protocol. This is especially important for web resources through which financial transactions take place (online stores, digital service providers, bank websites).
Information about the availability of the certificate can be seen at the beginning of the address bar, next to the domain name .
A gray lock indicates that the site is protected, a red triangle warns of the absence of a certificate. If there is no protection, any personal data of the guest (phone, mail, card number) can be stolen by fraudsters.
You can read more about what an SSL certificate is in our blog.
What happened on September 30?
All operating systems come with their own trusted certificate databases. When a new version is released, the database is also updated. When the client visits the site, the system first checks whether the installed SSL security certificate is up-to-date and whether it can be trusted.
At the dawn of its existence (in 2012), Let's Encrypt provided a common IdenTrust certificate for use, which is trusted by all popular OSes.
At the same time, the company was developing its ISRG Root X1 certificate, which went into effect 5 years ago. Since then, they have existed in parallel with the expectation that IdenTrust will be disabled when the new certificate is trusted by all OSes.
This is a normal practice because root certificates change very rarely and it takes a long time to implement a new one.
On September 30, Let's Encrypt finally switched to the self-developed ISRG Root X1 certificate, which will be valid until 2035. Owners of new gadgets did not even notice the transition, but many sites saw a drop in traffic due to the fact that owners of devices with older versions of the systems could not get to them.
How to solve the problem?
Users will have to troubleshoot manually. There are recommendations for owners of various gadgets and OS, many tutorials on installing certificates have already appeared on the Internet.
There are several ways to restore access to sites:
Install a more current version of the OS or update the existing one.
Independently install the ISRG Root X1 certificate from the official site Let's Encrypt . (How to do this - look for guides specifically for your system).
Use the latest releases of the FireFox browser because it has its own store of trusted certificates. True, not everyone will be able to do this, since the browser itself requires newer Android firmware for its new releases.
The update made both site visitors and webmasters nervous. However, the latter can do little on their part - now everything depends on the client's actions. The only step you can take on your site is to buy SSL instead of using the free one. But this is not necessary, since after a period of turbulence the situation will level off and enter the usual rut.