Why do sites with free Let's Encrypt SSL certificates stop working?

The DST Root CA X3 root certificate expired on September 30, 2021. This root certificate was used for the correct operation of the free Let's Encrypt SSL certificates, which are installed on about 250 million sites around the world.

What is the essence of the problem

The problem is that unlike SSL certificates, which can be obtained per hosting+domain and renewed as needed, root certificates are stored on users' devices, such as smartphones, laptops, desktops, game consoles, etc. and the renewal of root certificates occurs together with the update of the software version installed on the device, at the time of updating the firmware, operating system, etc.

What does it all mean?

If you have installed a free SSL certificate from Let's Encrypt, some users who visit your site from outdated devices that have not received software updates and root certificates for a long time may receive a notification from the browser that the connection to the site is not protected, as in images below

Below is a list of devices and operating systems that are considered outdated and may have problems displaying sites. This list is not complete and may include many more devices and systems.

— Windows XP, 7 (including some versions 8.1 and 10, which have not received updates for a long time)

— MacOS versions below 10.12.1

— iOS version below 10

— Android versions below 2.3.6

- Ubuntu versions below 16.04

- Debian versions below 8

— PS consoles with firmware version below 5.00

- Mozilla Firefox browser version below 2.0

What can be done in this situation

— The fastest and easiest option is to install a paid SSL certificate from any trusted certification center on the site . This option will fully restore the website for all its visitors.

— Install a new ISRG Root X1 root certificate on the computer. The visitor on whose computer this procedure will be performed will be able to access the site. Instructions on how to do this are available below, in the example, the installation of the certificate on the Windows 10 OS is considered, on all other devices the actions will be similar.

— Switch to a newer version of the operating system, install the latest OS and related software updates, update the browser version, etc.

Installing a new root certificate

Download the ISRG Root X1 root certificate in *.der format from the Let's Encrypt site at https://letsencrypt.org/certificates

Open the downloaded file and click Install Certificate...

In the Storage Location section, choose where to install the certificate, in our case it will be Current User and click Next

On the next page, select Place all certificates in this store and click Browse...

In the window that opens, select the Trusted Root Certification Authorities folder and click OK

Click the button Next ? Finish ? Receive a notification about the successful import of the certificate