Today, September 30, IdenTrust root certificate lifetime expired and is that this certificate was used to sign the Let's Encrypt certificate (ISRG Root X1), controlled by the community and provide certificates for free to all.
The firm ensured the trust of Let's Encrypt certificates on a wide range of devices, operating systems and browsers while integrating Let's Encrypt's own root certificate into root certificate stores.
It was originally planned that after DST Root CA X3 is out of date, the Let's Encrypt project it will switch to generating signatures using only your certificate, but such a step would lead to a loss of compatibility with a lot of old systems that didn't. In particular, around 30% of Android devices in use do not have data on the Let's Encrypt root certificate, the support of which appeared only as of the Android 7.1.1 platform, released at the end of 2016.
Let's Encrypt did not plan to enter into a new cross-signature agreement, as this imposes additional responsibility on the parties to the agreement, deprives them of independence and ties their hands in complying with all the procedures and rules of another authority of certification.
But due to potential problems on a large number of Android devices, the plan was revised. A new agreement was signed with the IdenTrust certificate authority, under which an alternative Let's Encrypt intermediate cross-signed certificate was created. The cross signature will be valid for three years and will continue to be compatible with Android devices from version 2.3.6.
However, the new intermediate certificate does not cover many other legacy systems. For example, after the DST Root CA X3 certificate expires (today September 30), Let's Encrypt certificates will no longer be accepted on unsupported firmware and operating systems, in which, to ensure trust in Let's Encrypt certificates, you will need to manually add the ISRG root. X1 certificate to root certificate store. The problems will manifest themselves in:
OpenSSL up to and including branch 1.0.2 (maintenance of branch 1.0.2 was discontinued in December 2019);
- NSS <3,26
- Java 8 <8u141, Java 7 <7u151
- macOS <10.12.1
- iOS <10 (iPhone <5)
- Android <2.3.6
- Mozilla Firefox <50
- Ubuntu <16.04
- Debian <8
In the case of OpenSSL 1.0.2, the problem is caused by an error that prevents the correct handling of certificates cross-signed if one of the root certificates involved in signing expires, although other valid chains of trust are preserved.
The problem first emerged last year after the expiration of the AddTrust certificate used for cross-signing in certificates of the Sectigo (Comodo) certificate authority. The heart of the problem is that OpenSSL parsed the certificate as a linear chain, whereas according to RFC 4158, the certificate can represent a directed distributed pie chart with various trust anchors that need to be taken into account.
Users of older distributions based on OpenSSL 1.0.2 are offered three solutions to solve the problem:
- Manually remove the IdenTrust DST Root CA X3 root certificate and install the standalone ISRG Root X1 root certificate (no cross signing).
- Specify the "–trusted_first" option when running the openssl verify and s_client commands.
- Use a certificate on the server that is certified by a standalone SRG Root X1 root certificate that is not cross-signed (Let's Encrypt offers an option to request such a certificate). This method will lead to loss of compatibility with old Android clients.
In addition, the Let's Encrypt project has passed the milestone of two billion certificates generated. The one billion milestone was reached in February of last year. Every day 2,2-2,4 million new certificates are generated. The number of active certificates is 192 million (the certificate is valid for three months) and covers around 260 million domains (a year ago it covered 195 million domains, two years ago - 150 million, three years ago - 60 million) .
According to statistics from the Firefox Telemetry service, the global share of page requests over HTTPS is 82% (one year ago - 81%, two years ago - 77%, three years ago - 69%, four years ago - 58 %).